Hi,
I experienced router restart under DDOS attack for the second time.
Also once when the network was under attack (1Gbit+), it switched it’s ports off and on.
Is there a cause/solution for this?
Thank you!
Bests,
Semir
This is why it is called an “attack”. What kind of device is this router?
There are many approaches to limiting effect from a DDoS attack: https://www.google.com/search?q=DDOS&sitesearch=http://wiki.mikrotik.com&ie=utf-8&oe=utf-8
Hi,
thank you for your response.
you missunderstand something. The router rebooted cause of watchdog timer.
Yes, and watchdog was triggered by instability of router, which is caused by the attack. This is the result of the attack, and lack of protective measures.
sorry, Im not getting your point.
Why should it be instable undre an attack?
Also please find my current firewall below:
add action=drop chain=forward comment=“IP Spoofing protection” in-interface=InetIn src-address=84.xx.xx.xx/24
add action=drop chain=input comment=“Drop Incoming DNS req” dst-port=53 in-interface=InetIn protocol=udp
add action=drop chain=input dst-port=53 in-interface=InetIn protocol=tcp
add action=drop chain=forward comment=“Drop invalid packets” connection-state=invalid protocol=tcp
add action=jump chain=forward comment=“SSH brute force protection” connection-state=new dst-port=22 in-interface=InetIn
jump-target=SSH_Protection protocol=tcp src-address=!6x.xx.xx.xx
add action=drop chain=SSH_Protection src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=12m chain=SSH_Protection src-address-list=
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1s chain=SSH_Protection
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10s chain=SSH_Protection src-address-list=
ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10s chain=SSH_Protection src-address-list=
ssh_stage2
add action=jump chain=forward comment=“SYN Flood protect” connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=
syn,!ack
add action=return chain=SYN-Protect connection-state=new dst-limit=1000,1000,dst-address protocol=tcp tcp-flags=syn,!ack
add action=drop chain=SYN-Protect src-address-list=synner
add action=add-src-to-address-list address-list=synner address-list-timeout=10m chain=SYN-Protect
add action=drop chain=forward dst-address-list=udp_flooded
add action=drop chain=forward src-address-list=udp_flooder
add action=jump chain=forward comment=“UDP Flood Protection” connection-state=new jump-target=udp_flood protocol=udp
add action=return chain=udp_flood dst-limit=2000,2000,src-and-dst-addresses
add action=add-src-to-address-list address-list=udp_flooder address-list-timeout=10m chain=udp_flood
add action=add-dst-to-address-list address-list=udp_flooded address-list-timeout=1d chain=udp_flood
add action=jump chain=forward comment=“Ping Flood Protection” jump-target=“Ping Flood Protection” protocol=icmp
add action=return chain=“Ping Flood Protection” dst-limit=200,200,src-and-dst-addresses protocol=icmp
add action=drop chain=“Ping Flood Protection” protocol=icmp src-address-list=ping_floodders
add action=add-src-to-address-list address-list=ping_floodders address-list-timeout=10m chain=“Ping Flood Protection”
add action=add-dst-to-address-list address-list=synflooded chain=SYN-Protect
What kind of hardware is it?
DDoS attack will fill your router resources, so your router will have problems processing legitimate traffic. It should not be rebooted. Maybe you have a hardware problem after all
It’s a CCR1036-12G-4S
With the current ruleset the CPU load is around 25-30% @1Gbit DDOS.
do you use RouterOS v6.2 or v6.3?
It updated itself to 6.2 and now says it is up-to-date.
I did not even know there is a 6.3 and cannot find it either.
which is the most stabile version?
v6.2 should be much better under DDoS attack. v6.3 will be released today or next week, test version is available upon request
Nope, thanks, I need the most stable one.
aug/31/2013 12:23:35 system,error,critical router was rebooted without proper shutdown, probably kernel failure
happened again.
exact scenario:
– receiving ddos on ipv6 (not huge, ~300-400Mbit)
– editing firewall settings
crash.
Hi,
new exp:
the tools/profile shows 90% idle, while system/resources show 100% load.
http://kepfeltoltes.hu/130831/resources_www.kepfeltoltes.hu_.png
even though the traffic was the same like minutes ago but then the load was 35%.
Any ideas?
Thank you!
Turned off watchdog timer.
Router restarted.
(Which is good, too, as a brick would be worse.)
Nothing in the logs.
I jsut see all the counters reset.
We will release v6.3 today or tomorrow, only an SSTP issue is remaining, so you can safely try it.
If your issue was not fixed by upgrading to v6.2, please email support@mikrotik.com with your supout.rif file, and we will see why this happens.
Sorry, almost forgot to Thank You!
bumping. Keen to know the outcome of this.
As I saw 6.3 did have some update on gbit links, but Im still waiting for feedbacks on 6.3 issues/stability.
Also I found that 500-700Mbit IPv6 DDOS traffic loads the cores to 100% (with 2 FW rules only), so ipv6 ddos above 700Mbit may have triggered the watchdog.
But this does not answer the cases when ports flipped or router was rebooted under an ipv4 ddos.
I had sent away problematic clients already, so I hope I wont be able to do further investigations in ddos attacks XD