I have limited bandwidth capacity, as everybody for that matter.
If I get flooded really bad, I get congestion on my link.
I want to set up a filter which can do the following: if enough traffic is going towards the SAME IP, nomatter what the source is or if multiple sources are involved, I want to add it to an address list. But the filter has to be network wide something like this:
for every address in MY_ROUTED_IPS check INCOMING_SPEED_PER_DESTINATION; if INCOMING_SPEED > MY_ACCEPTABLE_DOWNLOAD_RATE_PER_SAME_DESTINATION then ADD_THAT_DESTINATION to NEW_IP_ADDRESS_LIST
This is the alogorithm that I want to implement. And then I peridically check the NEW_IP_ADDRESS_LIST and implement certain actions on the IPs that are in that address list.
This is basicly a congestion filter.
For example I have bandwidth allocation of 10 Mbps upload and 10 Mbps download for a certain IP. If that IP gets 20 Mbps download then it is under flood because it cannot break 10 Mbps download limit due to shaping policy. I need to be able to determine that a certain IP is being flooded (determine by incoming speed on a certain bridge) and to null route it in case it goes over an acceptable incoming bandwidth speed limit.
Also you can use “connection-byte” option and prioritize beginning of each connection - this way ensuring small connections will always get trough without problem.
This is already implemented for SYN and it works ok.
The problem is when the traffic is not connection oriented like UDP flood traffic.
In this case we need an indicator that there is a problem. The best one is incoming speed as it breaks shaping and I need to collect it interface based and not packet-mark based.
I have tought of marking all incoming traffic with a packet mark, but how do I tell Mikrotik “take this action for this destination_only if incoming speed is 30 Mbps towards this destination” without taking into account any protocols whatsoever. That is the only problem I face, the rest is scripting and scheduling and the algorithm which I can implement. How can routeros determine the speed of incoming traffic towards a destination without it being connection oriented?
PS: I belive that this is a very important aspect regarding filtering on routeros as it would allow filtering based on the rate at which traffic is coming without passing through the queue tree (which actually happens, the flood traffic does not reach the queue tree as the marks do not get set because it is not connection oriented, just incoming bandwidth).
Please post any ideas, I am open to any idea and I will post working code if I manage to get this done, maybe it will help somebody else too.
EDIT: Is there a rate matcher, not a connection rate matcher as there is no connection involved?
You can only tarpit a tcp connection. There is no connection involved. It’s just like me sending a lot of traffic to you to IP_ADDR on port whatever (6733 let’s say). The port is closed, but you still get congested from the huge amount of traffic and there is no connection which you can refer to…
You need to clean pipe at your upstream provider, and you need to have a blackhole mechanism. If you have it, you can clean it, but you need a valid rate limit PER DESTINATION.