to Identify in the most general way a DDOS attack, I’ve written a few rules. The most effective has been one that adds offending IP’s to an address-list and have traffic from that list dropped by another rule. I’m looking for some advice on how to optimise this one rule so as to NOT flag false positives.
This rule does pretty well, but im not sure what the best settings would be for limit (rate/burst). The key would be the lowest values for all connection limit and limit settings without false positives. Anyone have any input?
this is actually asking for trouble in a real ddos attack. adding source ips to an address list will only slow your router down and take everything with it. logging every drop is also very bad, will kill your router under any real attack. just use the dst-limit and limit rules like you have but without trying to keep a list of all the forged source ips. you can use a wiretap to capture that if you really want it.
You are right in the extreme cases, but even for quite large attacks (1000 ips) it does work out. I have this in the rule,
src-address-list=!Safe-List
so it won’t try to re add ips that are already in the list and that saves on some overhead. The only trick seems to be picking the right numbers for connection limit, burst, etc to not flag the innocent. a variation on the rule i posted has worked quite well for me.
I have a ddos attack, please help me.
I see in my mikrotik in “Ip Firewall Connections” more connections by different unknowing Ip. How can i stop this attack. I’m a beginer. thanks