Help blocking DDoS attacks with Mikrotik firewall

RouterOS General
1

Hi!

Anyone can help me? I have been experiencing some DDoS attacks to my Mikrotik CCR CCR1036-12G-4S.

Here is a tcpdump log of the attack:


19:30:25.800854 IP 153.167.161.226.1234 > 1.1.1.1.80: Flags , seq 0, win 5840, length 0
19:30:25.800878 IP 79.165.237.221.1234 > 1.1.1.1.80: Flags , seq 0, win 5840, length 0
19:30:25.800894 IP 143.205.100.252.1234 > 1.1.1.1.80: Flags , seq 0, win 5840, length 0
19:30:25.800906 IP 119.172.171.103.1234 > 1.1.1.1.80: Flags , seq 0, win 5840, length 0
19:30:25.800920 IP 42.35.225.43.1234 > 1.1.1.1.80: Flags , seq 0, win 5840, length 0
19:30:25.801054 IP 60.233.45.110.1234 > 1.1.1.1.80: Flags , seq 0, win 5840, length 0
19:30:25.801071 IP 194.248.31.103.1234 > 1.1.1.1.80: Flags , seq 0, win 5840, length 0
19:30:25.801090 IP 208.30.209.200.1234 > 1.1.1.1.80: Flags , seq 0, win 5840, length 0
19:30:25.801104 IP 55.31.84.22.1234 > 1.1.1.1.80: Flags , seq 0, win 5840, length 0
19:30:25.801119 IP 215.110.19.254.1234 > 1.1.1.1.80: Flags , seq 0, win 5840, length 0
19:30:25.801141 IP 218.102.98.37.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801156 IP 37.185.205.18.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801169 IP 191.208.201.163.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801192 IP 89.148.252.51.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801207 IP 23.176.72.55.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801219 IP 44.147.217.169.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801232 IP 18.99.128.17.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801247 IP 112.127.51.157.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801261 IP 92.227.209.240.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801277 IP 65.64.55.140.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801292 IP 46.66.30.64.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801310 IP 53.166.222.44.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801323 IP 157.214.140.62.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801335 IP 95.161.114.11.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801349 IP 211.239.14.139.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801364 IP 54.114.3.228.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801377 IP 64.115.45.6.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801390 IP 20.121.43.208.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801404 IP 139.212.67.58.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801418 IP 27.112.63.229.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.801433 IP 54.153.120.217.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0
19:30:25.808519 IP 173.95.135.175.1234 > 1.1.1.1.80: Flags [S], seq 0, win 5840, length 0

My IP is 1.1.1.1 (changed for security reason). There are 40000 lines like the ones above in 10 seconds.

With this attack the hackers raised the CPU router to 100% bringing down everything.

If you look the log, you will notice every source IP is different, but the source port is the same (1234), so I solved the problem creating a firewall rule in the router, dropping every connection from 1234 port to 80 port. That solved the problem, the router can block the attack without raising to 100%.

But the attackers can easily change that 1234 port and I will have problems again, so, is there anyway to identify this kind of attacks and block them without using a based port rule?

Any help would be appreciated, best regards.

2

Hi Javii

I would block all traffic to port 80 of your CCR.
If you need port 80 for local administration, you could open it just for your own subnet.

Btw. it’s always a good idea to filter every IP which don’t need to access the router.

  • Mat
3

I provide web services so blocking port 80 is not a solution :frowning:

Port 80 is redirected to an Apache Server.

Thank you anyway

4

Did you enable the “TCP syn cookie” option in “ip firewall connections tracking” menu?

5

Hi normis, I have done it right now, do you think it will be enough?

Thanks!