Dos And DDos

binary · September 11, 2005, 5:21pm

How will i block Dos, DDos, Syn attacks?

Please Help.

Mikrotik 2.8

Can upgrade to 2.9 if neces.

sten · September 11, 2005, 6:14pm

DoS and DDoS are generic terms that match many forms of DoS and DDoS.
Syn attacks are difficult if not impossible to block. Syn packets use valid types of packets that no software can differentiate.

If the traffic generated by attacks is overpowering your systems then there is nothing you can do. Perhaps you can get a better uplink or more uplinks (better) but wouldnt necessarily cure the problem, only help.

If the amount of packets over power your routers you can try to get better routers.

If the attacks are directed at your hosted services then a synproxy can help. The only syn proxy i am aware of is the one in OpenBSD’s PF.

binary · September 11, 2005, 8:41pm

Thanks for reply.

We have enough traffic, and enough router pc.

the problem is on the web server.
When someone attacks, web server is down.

I want to block them before web server, on mikrotik.

DoS and DDoS are generic terms that match many forms of DoS and DDoS.
If there are certain type of protection to some certaion types of DDos, I will be glad if you can share with me.

Do you have more information about syn proxy that you mention?

Is it better to buy a firewall like checkpoint or smtg like that?
What do you prefer?

Can Checkpoint be able to block these Ddos, dos, syn and others?

Need urgent help.

Thanks.

sten · September 12, 2005, 9:46am

Depends on the attack. If it is a mere syn attack then a syn proxy would help. If they do valid transactions (they pull a file off the webserver over and over) then i you either have to up scale the servers or use some kind of high performance caching solution.

Most if not all forms of Distributed Denial of Service is practically impossibly to protect against. These forms of DoS would overpower firewalls, routers and bandwidth. So unless you have unlimited resources then this isnt really correctable. What you can do to try to lessen the power of such attacks is to make sure the network isnt used against you. I.e. the attacks trigger loops or the routers perform advanced firewalling jobs.

Not more than that it is a part of OpenBSD’s PF and that i know of no other product that offers the same. PF Is awesome. It puts most firewall solutions to shame.

Unless they offer hardware accelerated firewalling i would prefer open source ones. Specifically PF for advanced jobs.

Only according to advertisement. According to advertisement a $100 d-link can protect against this too!
Sure they have some cool features but most of these firewalls are severly underpowered or overly complex (imho). If you go for such a solution be sure you fully understand the implications and the requirements for the advanced features. Often it takes a little bit more than just flipping a switch on the more advanced features. Often it requires great thought as to the firewall/ruleset design and the network around it, to take advantage of the cool features.

I still prefer PF as it’s speed in stateful filtering and the flexibility it often gives to be able to run packet dumping and such on the firewall (Net/Free/OpenBSD) itself when debugging. PF has a steep learning curve though!

Surf around a little though, there could be advances in firewalls that i haven’t seen.