how to block kama sutra?

Hellbound · February 3, 2006, 7:01am

hi guys
it seems that my network connection tracking is few thousands which is weird from IPs doesn’t exist on network to the server and it is slowing the server badly

thanks

normis · February 3, 2006, 7:20am

make allowed IP list, block everything else, make firewall rule that allows only like 20 connections from each IP.

Hellbound · February 3, 2006, 7:33am

thanks for the fast reply
any firewall rule sample please?

normis · February 3, 2006, 7:36am

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=10,32 action=drop

this will limit each IP to 10 connections

http://www.mikrotik.com/docs/ros/2.9/ip/filter.content#6.38.3.1

there are some other examples

n5ltc · February 3, 2006, 4:01pm

In general, is it good to limit the number of connections from one IP to a certain amount? I know some http sites create multiple connections at one time. Is there a good number to use? We have had issues with maybe a hundred connections at a time being generated by customers who happen to get infected with something and it affects our overall wireless network operation.

Hugh_Hartman · February 3, 2006, 4:31pm

I use 80 without complaints, but started at 100 connections per/IP.

n5ltc · February 3, 2006, 4:57pm

Does this work the same in pre 2.9 versions?

Hugh_Hartman · February 3, 2006, 5:10pm

in v 2.8.28 this is the rule I use:

/ip firewall rule forward add protocol=tcp tcp-options=syn-only connection-limit=80 action=drop

n5ltc · February 3, 2006, 5:16pm

Ok.. Just attempted this on a router. Here is the network topology on this particular network segment:

weeds → narnia → core router

On the narnia router, I have 6 ethernet ports. If I apply the rule above, is it not going to restrict to x number of connections the interface that has the backhaul to the weeds site thus slowing that site down when it exceeds the x number of connections set in the rule? I am running PPPoE on weeds and narnia so I can’t just restrict the rule to a specific interface that an AP sits on because then the PPPoE interfaces won’t get restricted and usually it is those customers that cause us problems. I could add to the rule but my link to the core router is also going to get restricted to x number of connections. Am I reading this all wrong? Is the rule restricting by interface or by IP?

n5ltc · February 3, 2006, 5:30pm

oh wow! Just did this on another router and BOOM, got someone immediately with about 3 or 4 worms/virii on their system.

Hugh_Hartman · February 3, 2006, 5:32pm

from Eugene in previous threads discussing connection limits:

Every computer can make no more than 80 TCP connections through the router.

I had problems with hundreds of connections,captured after using this rule and none exceeds the value 80.