Mikrotik CCR 1036 8G 2S+ Performance issue

blackmetal · August 21, 2019, 4:41am

Hello,
I have a mikrotik ccr 1036-8g-2s+ with about 10 filter rule and per your datasheet on https://mikrotik.com/product/CCR1036-8G-2Splus in routing mode with 25 filter rule 1036 can handle 1.5gbps bps and 3m pps but the issue here is when i receive DDOS attack my CPU usage is %100,
the DDoS i received had 1m PPS and about 1gbps bps and i have analyzed the traffic, they were with spoofed IPs, they were on UDP and sometimes GRE protocol, they were on one DST IP.
as a note my uplinks are 2x 10gbps so I have 20gbps totally.
This is what i have on my router:

6 enabled Ip Firewall Filter rules
1 Mangle Rules
9 enable ip firewall raw rules
bgp with no full table
100 Vlans
BGP/OSPF
would you tell me, why does my cpu usages is %100 when i receive this amount ? its opposite of datasheet.
any idea to solution for solve this?

Thank you.

abn · August 22, 2019, 8:28am

blackmetal:

Hello,
I have a mikrotik ccr 1036-8g-2s+ with about 10 filter rule and per your datasheet on https://mikrotik.com/product/CCR1036-8G-2Splus in routing mode with 25 filter rule 1036 can handle 1.5gbps bps and 3m pps but the issue here is when i receive DDOS attack my CPU usage is %100,
the DDoS i received had 1m PPS and about 1gbps bps and i have analyzed the traffic, they were with spoofed IPs, they were on UDP and sometimes GRE protocol, they were on one DST IP.
as a note my uplinks are 2x 10gbps so I have 20gbps totally.
This is what i have on my router:

6 enabled Ip Firewall Filter rules

1 Mangle Rules

9 enable ip firewall raw rules

bgp with no full table

100 Vlans

BGP/OSPF
would you tell me, why does my cpu usages is %100 when i receive this amount ? its opposite of datasheet.
any idea to solution for solve this?

Thank you.

Hello,
I am facing the same problem please Mikrotik help us you can check that forum questions I’ll put the link below
https://r.tapatalk.com/shareLink/topic?url=https%3A%2F%2Fforum.mikrotik.com%2Fviewtopic.php%3Ft%3D151354&share_tid=151354&share_fid=28615&share_type=t

Sent from my Redmi Note 6 Pro using Tapatalk

blackmetal · August 22, 2019, 8:32am

This is really fantastic for me why does datasheet numbers are differents with productional enviroments!

blackmetal · August 22, 2019, 8:35am

i sent an email to support@mikrotik.com but they suggested me some rules for fighting ddos, how ever i do not want protect my customers from ddos attacks and i want to transit this traffic to them because we do not offer ddos protection service! so i do not know why does datasheet numbers are really different in working enviroments!

sebastia · August 22, 2019, 9:20am

Hey

Do you have connection tracking enabled?
was the ddos on ipv6? there was an issue with that not so long ago (implementation in ROS), with a patch release. do you have it?

Edit: just noticed you don’t have connection tracking enabled http://forum.mikrotik.com/t/fasttrack-or-raw-is-better-for-blocking-ddos-attacks/132578/1

blackmetal · August 22, 2019, 9:25am

connection tracking is disabled, an i have no ipv6 traffic even bgp ipv6 and all traffics are ipv4

sebastia · August 22, 2019, 9:54am

which version are you running? remember that there was a bug in ROS with regards to that;
Ros 6.45.1:
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;

blackmetal · August 22, 2019, 10:02am

Hi
I am using latest version for both routerboot and ros

sebastia · August 22, 2019, 10:06am

remember something similar

http://forum.mikrotik.com/t/tcp-syn-flood-attack-causing-high-cpu/112864/1

blackmetal · August 22, 2019, 10:22am

As i understand CCr can note route this amount of traffic to user due to linux kernel?