We’ve suffered a few brutal DDoS attacks over the last few days (not all that unusual), but we graph CPU usage on all our Mikrotiks, and the graph showed some CCR1072 routers hitting 100% CPU usage during the attack, even though normal CPU usage is below 10%. We’re doing the usual review/audit and update of our firewall rules, but is that a common side effect of a DDoS? What sort of traffic could cause that kind of impact?
If the router is not configured correctly, yes, but it should NOT hit 100% CPU.
a missconfigured firewall could sometimes make an attack even worse. You can for example run every packet attacking trough connection tracking. Check your rule set, and what rule that have a lot of hits when under attack. Check also the profile for what “app” using your CPU resources.
Well, I grabbed my copy of Learn RouterOS 2nd Ed., and I made some changes in rule order, using Firewall Efficiencies on pg 126-127 as a guide, but I’m still not certain what was happening when the attack was going on that could have overloaded the 72-core CPU…
Normally one would utilize BGP blackhole or null route with your upstream provider. also dropping offending traffic in raw table so its dropped before connection tracking.