Firewall: Limit PPS on per IP basis

webix · November 4, 2019, 9:57am

Hello Folks.

I would like to limit the packets per second from a source IP to a destination IP.
I know that this has already been approached, but the solutions given are old and don’t work very well.

So, i would like to add a source IP to a address list if that IP passes the limit of 100K PPS to a destination IP.
I have checked this thread (http://forum.mikrotik.com/t/firewall-pps-limit/96532/1), but it dates from 2016. I guess there were some improvement since then to limit this out. no?

Regards

xvo · November 4, 2019, 10:39am

You can use Dst-limit matcher.
But as it performs desired action when under the limit, then applies passthrough, and that behaviour is not reversible (like with Limit matcher), you will need a custom chain for it.

pe1chl · November 4, 2019, 10:43am

You can also use a queue tree and the appropriate packet marking rules in mangle.
This provides a smoother approach (the packets exceeding limit are not immediately dropped, but they are first kept in a queue and delayed).

webix · November 4, 2019, 10:50am

Can you please provide an example?
I am using custom chains
This is what i have in this moment:

/ip firewall filter
add action=jump chain=forward comment="=> Block Specific UDP" dst-address-list=OwnIPs in-interface=ETH1 jump-target=UDPConnections \
limit=5k,20k:packet protocol=udp src-address-list=!secured
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections protocol=udp src-port=123,11211,3702,389
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections dst-port=1900,80 protocol=udp
add action=return chain=UDPConnections dst-limit=5000,20000,dst-address/1m40s
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections

xvo · November 4, 2019, 11:07am

Can you please provide an example?
I am using custom chains
This is what i have in this moment:

/ip firewall filter
add action=jump chain=forward comment="=> Block Specific UDP" dst-address-list=OwnIPs in-interface=ETH1 jump-target=UDPConnections \
limit=5k,20k:packet protocol=udp src-address-list=!secured
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections protocol=udp src-port=123,11211,3702,389
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections dst-port=1900,80 protocol=udp
add action=return chain=UDPConnections dst-limit=5000,20000,dst-address/1m40s
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections

Yes, that’s exactly what I was talking about.
But I don’t think you need limit matcher on the first jump rule.
The logic is like that:

all packets non in your “secured” list enter the chain.
some of them a filtered by port numbers and added to “infractor” list.
all others under the dst-limit are returned to normal processing.
everything over the dst-limit is added to “infractor” list.

webix · November 4, 2019, 12:43pm

Yes, i know. But that will split the total of the packets.
I mean… If IP x.x.x.x send 5000 packets to ip y.y.y.y, and 5000 packets to ip z.z.z.z, and 5000 packets to a.a.a.a, another 5001 packets to ip b.b.b.b, he will match the rule (wrongly)

xvo · November 4, 2019, 1:19pm

You can change “Dst limit” “Limit by” to src-address.