Good day,
I have 3 subnets of public addresses i want to disable tracking for.
And all the other connections needs te be tracked because of NAT.
Last night one of the clients got hit by a ddos, low bandwidth high pps filling up the connection tracking table and pegging the ccr1072 to 100% usage.
I created a raw rule to drop all packets targeted at the specific IP being attacked.
After applying the rule the attacked spiked to 6Gbps but CPU usage went to about 30%.
I have previously created 2 no track rules for those subnets on the pre routing chain one the src address and the the other one the dst address, but it seems that those routed connections is still being tracked for some reason.
Any light on the subject would be appreciated.
Also I have contacted the upstream provider about black holing future attacks but they dont support it at the moment, so only way is to soak up the attack with our 10Gbps uplink without killing the CPU of the CCR