Hi guys
some ISP using mikrotik are getting attacked with DDOS with SSDP… some peaks of 50gbps, any ideas on how to mitigate this?? the Upstream provider is having some dificulties also…
below some pics of traffic packet sniffer during the attack whilst all CPU cores on 1036 and 1072 jam at 100% usage..
we see thousands of spoof ips doing the attack… SSDP port 1900 is closed on Ip firewall raw.. on src and dst.. udp and tcp..
and
What is the output of /ip firewall raw print and /ip firewall raw print stats. If the requests are properly dropped, RouterOS should not be sending any ICMP packets back.
Hi
attached pic of IP firewall RAW..
What is attracting the attacks… specific servers??
Since you’ve got a common rule for multiple ports, it is not possible to say whether it counts the SSDP packets or the other ones. Create separate rules (TCP, UDP) with dst-port=1900 alone and place it before the common one.
But that’s only for analysis, otherwise it should work the way you’ve set it up - unless some match condition is set in the rule(s) that is not shown in this table view. That’s the reason why I’ve asked for an output from text console where all match conditions are always visible.
well they are attacking full ASN IPs.. all blocks /24 being attacked with thousands of spoofed ips.. with random ports ICMP packages with lenghts 161 and 70bytes.. with that ssdp inside.
Hi guess the problem is the amplification of the attacks are hammering somewhat on 50gbps on the interface.. i guess no 10gbps sfp+ interface on the mikrotik will handle this kind of ddos attack.
Nothing you can do if your pipe is smaller than the attack bandwidth. Has to be mitigated upstream.
Yes indeed.. upstream provider is having dificulties.. aparently Wanguard is not being able to mitigate it aparently.
wondering if CCR2216 with 100G uplink port.. would be able to soften the hammering.. but atm is quite an expensive test.. just to test ddos mitigation