DoS attack or DDos attack Routeros How to do ?

gx120 · October 29, 2007, 3:24pm

1.cpu 100%
2.network down!ping routeros timeout
3.routeros 2.9.48 L6

I am routeros oem gx120.

thank you.

maximan · October 29, 2007, 3:40pm

Check this links, they could help you

http://wiki.mikrotik.com/wiki/Securing_your_router
http://wiki.mikrotik.com/wiki/Drop_port_scanners

Max

Dragonmen · October 31, 2007, 10:46am

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment=“SYN Flood protect” disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment=“” disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment=“” disabled=no

“syn limit=400” is a threshold, just enable rule in forward for syn packets to get dropped (for excessive amount of new connection)

mrz · October 31, 2007, 10:49am

Also enable syn cookies:
/ip firewall connection tracking set tcp-syncookie=yes

changeip · October 31, 2007, 4:42pm

also, limit your logging. logging will cause the router to fail faster than traffic will.

cavital · November 4, 2007, 6:06am

how about udp or dns flood?

Dragonmen · November 14, 2007, 10:35am

[quote=“cavital”][quote=“Dragonmen”]/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment=“SYN Flood protect” disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment=“” disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment=“” disabled=no

“syn limit=400” is a threshold, just enable rule in forward for syn packets to get dropped (for excessive amount of new connection)[/quote]

how about udp or dns flood?[/quote]

Change “protocol=tcp” to “protocol=udp” and set threshold to what the udp packet rate you have maximum in the peak times +20% higher (to be sure)

Edit: Why my quoting isn’t working?

yancho · November 14, 2007, 11:54am

Check your board settings: http://forum.mikrotik.com/ucp.php?i=prefs&mode=post “BBCode” should be enabled, or just uncheck “disable bbcode” before submiting.

Abdock · November 5, 2009, 3:46pm

this must be a long time back discussion.

I have standard firewall rules blocking virus, and knows udp and tcp ports along with the icmp.

if i add the above syn flood chain, where shuld i place it ?

/ip firewall filter
add chain=forward connection-state=established comment=“allow established connections”
add chain=forward connection-state=related comment=“allow related connections”
add chain=forward connection-state=invalid action=drop comment=“drop invalid connections”
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=“Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=“Drop Messenger Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=“Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=“Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=593 action=drop comment=“"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="”
add chain=virus protocol=tcp dst-port=1080 action=drop comment=“Drop MyDoom”
add chain=virus protocol=tcp dst-port=1214 action=drop comment=“________”
add chain=virus protocol=tcp dst-port=1363 action=drop comment=“ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=“ndm server”
add chain=virus protocol=tcp dst-port=1368 action=drop comment=“screen cast”
add chain=virus protocol=tcp dst-port=1373 action=drop comment=“hromgrafx”
add chain=virus protocol=tcp dst-port=1377 action=drop comment=“cichlid”
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=“Worm”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=“Bagle Virus”
add chain=virus protocol=tcp dst-port=2283 action=drop comment=“Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=“Drop Beagle”
add chain=virus protocol=tcp dst-port=2745 action=drop comment=“Drop Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=“Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=“Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=“Worm”
add chain=virus protocol=udp dst-port=4444 action=drop comment=“Worm”
add chain=virus protocol=tcp dst-port=5554 action=drop comment=“Drop Sasser”
add chain=virus protocol=tcp dst-port=8866 action=drop comment=“Drop Beagle.B”
add chain=virus protocol=tcp dst-port=9898 action=drop comment=“Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=“Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=“Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=“Drop NetBus”
add chain=virus protocol=tcp dst-port=17300 action=drop comment=“Drop Kuang2”
add chaadd chain=forward action=jump jump-target=virus comment=“jump to the virus chain”

in=virus protocol=tcp dst-port=27374 action=drop comment=“Drop SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=“Drop PhatBot, Agobot, Gaobot”

fewi · November 5, 2009, 4:14pm

I think it would make the most sense to add it at the end, since it is a general rule (it matches all new connections) and you have very specific drop rules already.

More importantly, if you use the rule unchanged it accepts traffic for up to 400 connections in 4 seconds. That would include the malicious traffic you’re trying to drop later, so if this rule were to be at the top you’d never get to the rules that you already have. You can change that behavior by changing the action from accept to return, I believe.

Basically you have to decide whether you want the malicious traffic you’re already dropping to count against the SYN threshold or not.

[edited to make sense]

Abdock · November 5, 2009, 4:49pm

Thanks a lot for the reply. It cleared the confusion i had.

i am trying to search firewall examples, if anybody knows a good one, which drops known bad port, known internal IP, and protects little agains dos attack, would be much appreciated, am trying to make one, if i am i will post it up.

fewi · November 5, 2009, 4:57pm

Have you looked through the wiki yet?

http://wiki.mikrotik.com/wiki/Firewall

Abdock · November 5, 2009, 5:07pm

yes, have looked there, there are more of a router firewall, i am kind of looking for a bridge firewall setup.

fewi · November 5, 2009, 5:09pm

You can turn on the IP firewall for bridges.

Abdock · November 5, 2009, 5:13pm

i have a system working, with few rules as above but am looking for other rules to add such as these Dos attack, limit udp floods, also blocking other things which are used for attack or virus. so was looking for some complete examples.

thanks.

Ehman · August 17, 2013, 5:18pm

Does not work at all! I’m flooding my router with tcp packets using a ddos tool and that rules doesn’t even show 1 packet passed thru the firewall rule… I’m I missing something?

Ehman · August 17, 2013, 5:20pm

That command give me:
expected end of command (line 1 column 38)

xwf · November 5, 2013, 7:55am

right, i have a problem someone is generating traffic on my network, its src address is 255.255.255.255 and dst is 0.0.0.0

i have attached an image for you guys to see it further, have a look , because it took my whole network down in seconds.

Anyone with any suggestion or solution ?