Hello Mtik people,
Probably my question is already answered but:
I have 2 Mtik routers v.6.42.6 in vrrp mode with rp-filter=loose and tcp-syncookies enabled [/ip settings set tcp-syncookies=yes]
I am trying to test the routers for tcp syn resistance and seems that CPU load goes above 90%
cpu-used: 91%
cpu-used-per-cpu: 97%,81%,95%,83%
I’m i doing something wrong here? I have created mulple firewall rules to drop or reject this kind of traffic but i’m ending up with slow Internet or no connection at all.
Test is initiated through linux hping3 with -c 30000 -d 800 (-c packets -d bytes in size each 28 headers + 800 data bytes)
Doesn’t rp-filtering and syn-cookies suppose to resist SYN flood attacks?
Any help with this one?
SYN cookies do not do anything to protect against volumetric attacks, they are intended to protect a listening service from spoofed source IPs. Replace your SYN traffic with any other packet flood and you will likely see similar behavior assuming enough bandwidth between attacker and router. You can help reduce CPU usage by keeping the number of evaluated firewall rules to a minimum (often just a simple DROP on all unknown traffic is enough - don’t waste time with address lists, virus ports, etc).