Minecraft server Gamai.Ru DDOS protection

DrDeft · June 30, 2012, 11:25am

RouterBoard Mikrotik 751G-2HnD firmware 2.39 RouterOS 5.18.
Minecraft online game server Gamai.Ru.
100 Megabits upload/download channel.

Minecraft uses ports 25565 TCP/UDP.

Last router D-Link DIR-300 had this protection rules in configuration:

iptables -A INPUT -p tcp -m tcp --dport 25565 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP
iptables -A INPUT-p udp --dport 25565 -m connlimit --iplimit-above 15 -j REJECT

Please help convert this rules (or more effective) to Mikrotik. I have read official manual but dont’t want to risk. Mikrotik 751G-2HnD is my first Mikrotik router.

Thanks to all helpers.
I can give remote access to router.

mrz · July 2, 2012, 7:51am

Something like:

/ip firewall filter
add chain=input protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5,32 action=drop
add chain=input protocol=udp dst-port=25565 connection-limit=15/32 action=reject

DrDeft · July 2, 2012, 8:41am

Can there be a syntax error?

add chain=input protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5/32 action=drop

expected , (line 1 column 92)

normis · July 2, 2012, 8:43am

You need to start by entering the firewall menu, you missed first part of the command:

/ip firewall filter

mrz · July 2, 2012, 8:50am

there should be connection-limit=5,32

DrDeft · July 2, 2012, 9:19am

Thaks to everybody. Rules have been accepted.
Are this rules enough to protect Minecraft server?

normis · July 2, 2012, 9:34am

These rules protect your ROUTER from many connections per second. There are some other ways to protect the router, but also your original rules did not protect your Minecraft server, only the router. If you want to prevent also multiple connections to Minecraft server, add the same set of rules again, but this time change from input to forward

DrDeft · July 2, 2012, 10:07am

Please answer detailed. I’m noob in Mikrotik yet. But protection of Minecraft server is very important.

What are the specific rules (or commands in terminal) I need to accept?

normis · July 2, 2012, 10:08am

I am simply pointing out that your DLINK rules were also not protecting your minecraft server.

Adding also these rules should help (copy and paste them):

/ip firewall filter
add chain=forward protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5,32 action=drop
add chain=forward protocol=udp dst-port=25565 connection-limit=15/32 action=reject

DrDeft · July 2, 2012, 10:14am

So summary I need this rules? To protect Router and Minecradt server. Yes?

/ip firewall filter
add chain=forward protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5,32 action=drop
add chain=forward protocol=udp dst-port=25565 connection-limit=15,32 action=reject
add chain=input protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5,32 action=drop
add chain=input protocol=udp dst-port=25565 connection-limit=15,32 action=reject

normis · July 2, 2012, 10:16am

Actually better like this:

/ip firewall filter
add chain=forward protocol=tcp dst-port=25565 tcp-flags=fin,syn,rst,ack connection-limit=5,32 action=drop
add chain=forward protocol=udp dst-port=25565 connection-limit=15,32 action=drop
add chain=input connection-limit=15,32 action=drop

These rules only protect against DOS (denial of service, multiple connections at once). There are many other rules you could add, depending on what you wish to be protected against.

coffeecoco · July 2, 2012, 11:29am

May i ask you have you already had ddos attacks?

Can you tell me anything about the previous attacks, I would be surprised if the cpu on the router can handle a large ddos attack,
I dont know personaly with mikrotik, i’ve just seen some tuff routers go splat in the past.

please give feedback

DrDeft · July 2, 2012, 2:11pm

My router D-Link DIR-300 DD-WRT 300Mhz CPU had been under atack in past. But that was DOS (not DDOS) atacks. Packet flooding.

Protection rules were useful to prevent this tipe of attack.

coffeecoco · July 3, 2012, 2:14am

Okay, then must be either simple ping flood
Or unspoofed syn flood <–pointless i would think, but it might consume a bit of the resources maybe..

I personaly dont consider a dos very bad, I cant think how a dos would be capable of consuming your bandwidth AND OR
resources.

but of coarse I guess the minecraft server may be more sensitive to this.

Olivier · November 27, 2012, 11:54pm

I would like to know wath is the NAT rule(s) I must do. I tried to add a rule : chain : dstnat, protocol : 6 (tcp), dst port : 25565, in interface : ether 1, action : dstnat, to address : my local pc address, to port : 25565. It did not works. I can’t connect to my server using my wan ip and the 25565 port. I’m little bit noob too and I would like some help please. Thanks.