Hello,
I have being developing an advance firewall for an ISP in order to mitigate as much as possible DoS and DDoS attacks. The problem started when I was testing the property dst-limit with value src-and-dst-addresses in firewall filter.
Example: to simulate attack and firewall rule behavior I use KALI to generate the attacks and some firewall rules with action= passthrough just to check the amount of data being processed by the dst-limit rule.
Here are the firewall filter rules:
/ip firewall filter
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test dst-limit=10,10,src-and-dst-addresses/10s in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=accept chain=forward comment=test in-interface=ether1-wan log-prefix=""
As you can see the first 4 rules have action=passthrough and the rules 0, 1 and 3 are identical. It means that those three rules must match all the incoming packets.
The issue is that they are NOT matching all packets when:
- dst-limit uses src-and-dst-addresses value
- The amount of packet per second is high (more than 30.000 packets per second)
- Multiple source address attacking one host
KALI command: hping3 -p 81 -2 190.107.176.253 -w 64 -i u10 –rand-source
Otherwise, **if you do the same attack but from only one source this behavior does not occur. **
KALI command: hping3 -p 81 -2 190.107.176.253 -w 64 -i u10 -a 3.3.3.3
Here is a video with the demonstration: https://dl.dropboxusercontent.com/u/3817372/share-public_v2/dst-limit_error.zip
I tested with CHR and x86 with 6.35.4 and 6.36rc40.
Here is the supout.rif: https://dl.dropboxusercontent.com/u/3817372/share-public_v2/supout.rif
Best regards.
