Hello all! Just signed up and first post, so hoping I am not breaching any protocol. I just started using a MiktoTik 750G recently. I have a shared hosting server that undergoes attacks of various sorts. Usually people trying to hack into Word Press accounts, etc. So I set up a 750G in front of the server acting as a transparent firewall. It’s been a huge success as it lets me block a lot of events before they get to the server which saves the server a lot of resources. I have even gone to the extent of setting up fail2Ban on the server which then logs into the 750 and adds IP addresses to address lists in the firewall. Again, it’s been a huge success and cured 99% of the problems we had.
However I have run into a situation that I am having a hard time handling and am not versed enough yet in RouterOS (and perhaps networking in general) to figure out. I thought maybe someone her might be able to help. I have found similar articles on here, but none the exact situation I have, or I am unable to tell if the reason I still have problems is because I am not implementing the suggestions correctly, or my situation is too different for those suggestions to work.
There is a particular destination IP that is getting hit with hundreds of http requests per second and coming from what seems like an infinite number of IP addresses. The pattern is very easy. These IPs are sending an HTTP POST request to / with no actual POST content. Now at the server I inevitably forbid this specific request so a 403 is returned. However the number of requests seems to be great enough to still bog the server down. Or at least enough so that when any other issues come up, the server is already having its hands full dealing with the DDoS attack on one of the websites.
So in the MirktoTik the first thing I did was set a filter so that any connections to this particular IP on port 80 making a POST request to / are added to a block list that blocks them for 10 minutes. Unfortunately the sheer number of IPs making these requests are just so large that this filter is pretty much futile. For most issues I run into, this type of filter seems to be just fine, but it isn’t any good for this kind of DDoS attack it seems.
So I tried a filter that uses the content parameter to target traffic that contains the post information. That seems to target just fine. However if I drop the packets, I end up with a lot of broken connections on the apache server. I suspect that perhaps by the time I get a packet containing the post content, communication has already started with the apache server so I am breaking the connection while the apache server is waiting for a response? But if I just use this filter to add the IP to a block list, there are too many IPs for this to do any good. I was thinking maybe the dest-limit options could help, but I am struggling to understand exactly how they work and my attempts at using it has been unsuccessful.
Does anyone know if ti’s possible for me to set up a content based filter that can block that traffic without causing this problem with the apache ports? Not sure if I am explaining properly or not, so please forgive me. The end goal is to block traffic based on the packet contents without leaving open connections at the destination so that I don’t end up running out of apache ports that are waiting for a response from an IP I have now blocked.
Thanks for any advice!