how can i put source ip connection limit ???

vipul21 · January 3, 2011, 8:11pm

hi

i have some problem with SYN flood attack of one of the webserver.i want to put source ip based connection limit.
so can someone tell me is it correct or not plz???

add action=add-src-to-address-list address-list=web_server
address-list-timeout=2w chain=forward comment=
“detect attack” connection-limit=25,32 disabled=no
dst-address=webserver ip dst-port=80 protocol=tcp src-address=
0.0.0.0/0

add action=drop chain=forward comment=“” disabled=no dst-address=
webserverip protocol=tcp src-address=0.0.0.0/0
src-address-list=web_server

plz i really need help to solve this problem.

fewi · January 3, 2011, 8:23pm

Yes, but leave off the ‘src-address=0.0.0.0/0’ in both rules.

FWIW, 25 concurrent connections isn’t very high - you’re likely going to have false positives and block legitimate users. Depending on the severity of the attack that may be a fair trade off, though. I’d personally adjust the address list time out to 1h so that false positives get unblocked faster. Also, make sure you have the drop rule very early in your ruleset so that it gets processed early and can drop all those malicious packets very quickly rather than process a lot of rules for each of them. That will help router load.

vipul21 · January 5, 2011, 9:54pm

thank u very much fewi.

i have some blacklist now and i want to import on firewall address list.how can i do it???

http://wiki.mikrotik.com/wiki/Using_Fetch_and_Scripting_to_add_IP_Address_Lists

this wiki example it can do my job but i don’t know how to use this script.i want to fetch my blacklist from files of routerboard.

if u can give idea then i m really thankful to u.i m using 5.0rc4 x86 ros version.