Handle with ddos or many flows?

katsil · November 10, 2020, 9:10am

Hi. Im using RB3011UiAS router as my core router in home network. Behind im using switch connected to my servers.

Several days ago ddos attacks started on my servers. Mostly to :80 port.

While ddos (mostly TCP-SYN flood) my core router RB3011UiAS not available from either the internal network or the external network. Also there is 100% cpu usage.

Is there any way to solve this problem using DDOS filter in firewall. Currently i`m using https://help.mikrotik.com/docs/display/ROS/DDoS+Protection this protection, and its not working.

Here is some graphs during DDOS: about 100k flows per min. and CPU utilisation.

Maybe there is some way to fix this?

anav · November 11, 2020, 1:51pm

IF your ISP is not handling DDOS, not sure if your router is able to.

Larsa · November 11, 2020, 2:19pm

You could try to activate a Blacklist Filter like for example http://forum.mikrotik.com/t/blacklist-filter-development-topic/121264/1 I’m using a similar solution for some customers and it works very well.

Larsa · November 11, 2020, 2:26pm

Just curious, do you know of many ISPs that perform active DDOS prevention and how they do it? (black lists?) Ours doesn’t do it anyway..

katsil · November 11, 2020, 3:09pm

Its about 30-50mbps incoming traffic. Im not sure ISP should handle with too low flow and pps

katsil · November 11, 2020, 3:12pm

omg there is tonns of comments.
can u send github page or some guide how to enable it?

Larsa · November 11, 2020, 4:43pm

I’ll have a look if I can find a reasonably brief description without too much buzz.

It’t not very complicated. Basically it’s a scheduled script that downloads and inserts bunch of consolidated address lists (ie from firehol.org and like). Lists with frequent changes is advisable downloaded by the hour.

For each address list there is a drop role like:

/ip firewall raw
add action=drop chain=prerouting comment=DROP.PortScanners  log=yes log-prefix=DROPPED.PortScanners src-address-list=PortScanners
add action=drop chain=prerouting comment=DROP.Firehol.L1    log=yes log-prefix=DROPPED.Firehol.L1   src-address-list=Firehol.L1
add action=drop chain=prerouting comment=DROP.SBL.malc0de   log=yes log-prefix=DROPPED.SBL.malc0de  src-address-list=SBL.malc0de
.  .  .
.  .  .

Since downloading and installing the address lists makes lot of changes on the filesystem you have to make sure that the built-in flash memory does not wear out prematurely depending on the design used in your particular device. If thats a problem and there is an USB-interface available, you can use an external USB drive for storing intermediate address lists before loading.

Larsa · November 11, 2020, 6:01pm

There are quite a few solutions on github with Mikrotik BlackLists:

Mikrotik Blacklist on Github

Here is a fairly simple one to get a feel for how it works:

https://github.com/pwlgrzs/Mikrotik-Blacklist

The rest are using more or less the same basic functionality but with different options how to download and manage the lists etc. Now, it’s your job to read and decide which one to use!

anav · November 11, 2020, 6:35pm

Much better off using this IMHO…
all work is done for you, and designed for MT routers.
https://itexpertoncall.com/index.html

Larsa · November 11, 2020, 7:03pm

@katsil, if you do not have the time or energy to create your own Blacklist management, I do recommend to buy the MOAB solution (https://itexpertoncall.com/promotional/moab.html) that is ready for use immediately.

katsil · November 13, 2020, 9:44am

The problem is that e.g. this ip 78.179.247.233 (from my DDOS flow in Elasticflow) is not listed in any blacklists.

And there is TONNS of ip`s attacking me which not in blacklists. So the think is: is there any way to filter/accept ips and block them if there is too much flows from them (e.g. >5 request/sec)?

Because now my CPU in microtik is too high while DDOS

sindy · November 13, 2020, 10:11am

As long as you deal with the overload of the router’s CPU, and not with exhaustion of the bandwidth of the uplink, you can use the dst-limit match condition (the name is a bit misleading, it actually can track rates per source address) to add trespassing source addresses to a blacklist, and drop packets coming from the addresses on this blacklist using an action=drop rule in /ip firewall raw. Doing so will relieve the CPU from handling those packets in subsequent layers of firewall, most importantly in the connection tracking module.

Larsa · November 13, 2020, 11:19am

78.179.247.233 is blacklisted at the usual places like barracuda sorbs spamhaus etc. If you combine the correct lists to get relevant updates you catch most of them but as @sindy told, dst-limit is a good tool to catch the rest in your own blacklist. For an extensive dnsbl control check out http://multirbl.valli.org/

anav · November 13, 2020, 12:38pm

As Larsa stated, the service provided works.
I recommend trying it for a week to see if it cleans up your issues, and not because I dont want to hear your complaints for another week
Without a doubt I would be using it if I didnt already use a different service (more expensive but written off as business expense)