IP filter and blocking entire country lists

nid15 · February 28, 2012, 12:19am

Hello,

We use routerboard 1200 in a colocated datacenter with 10M connection. Recently we have had a lot of issues with flooding attacks from IP’s based in china. Since we have a lot of RDP users, they get disconnected when these 8-9 second attacks happens and then they have to re-enter the credentials which obviously they are not very pleased about.
So far we have tried to drop packets using these commands

add chain=forward src-address=0.0.0.0/8 action=drop  
add chain=forward dst-address=0.0.0.0/8 action=drop

but I wanted to block the entire china IP block. We can easily get a list from http://www.countryipblocks.net/ and I have created the commands using excel for the entire list so all I need to do is copy paste into the terminal.
My worry is that with almost 8000 rules (4K src and 4k dst), will I see a major degradation in performance?
Any other ideas on stopping such flooding attacks?

Thanks in advance!

cieplik206 · February 28, 2012, 9:10pm

add those addresses into address-list and drop all connections from taht address-list

Performance will be much better

nid15 · February 28, 2012, 9:22pm

That’s what I did and there is no impact on performance. Am doing it on both input and forward chains. I was expecting cpu utilization to hit the roof but it barely even moves.
We averted this problem by blocking the entire IP range but IP’s can be spoofed. What do other people on the forum do to save from such attacks? Are there any “best practices” rules which should be implemented? Any other ideas to prevent intrusion/dos attacks will be appreciated.

Robinson · February 19, 2014, 10:02am

Try this http://forum.mikrotik.com/t/great-script-automatic-generate-spamers-ip-adress-list/74355/1