Prevent DRDoS attacks

Hi,

anyone know how to prevent DRDoS attacks in Mikrotik?

Thanks

Note: In a reflection DDoS attack, the attacker imitates (“spoofs”) the victim’s IP address and sends a request for information via UDP to servers (“reflectors”) known to respond to that type of request. The servers answer the request and send (“reflect”) the response to the victim’s IP address. Thus, from the servers’ perspective, the victim sent the original request.

Simply blocking on firewall invalid packet.

In this case, the invalid packets only works in TCP connections. Any strategy for UDP connections?

If connection tracking are on, also UDP packet is considered invalid if the destination is different of one router’s IP

I think you mean to prevent outbound attacks. What I want is to prevent my users from being victimized. It is possible to detect it in mikrotik?

as rextended wrote before me - drop packets in the firewall. If your router is used for that, you can drop that in the input chain on WAN interfaces. Simple action=drop will not respond gracefully with ICMP message as it is by default.

This is one extract of my rule on one of my Gateway on production:

This is for “protect” the router itself and the users. Nothing is perfect.

/ip firewall address-list
add address=0.0.0.0/8 comment="Internal Network" list=list_ip_blocked
add address=127.0.0.0/8 comment=Loopback list=list_ip_blocked
add address=192.0.0.0/29 comment=DS-Lite list=list_ip_blocked
add address=192.0.2.0/24 comment=TEST-NET list=list_ip_blocked
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=list_ip_blocked
add address=198.18.0.0/15 comment=INTER-NETWORK list=list_ip_blocked
add address=198.51.100.0/24 comment=TEST-NET-2 list=list_ip_blocked
add address=203.0.113.0/24 comment=TEST-NET-3 list=list_ip_blocked
add address=224.0.0.0/4 comment=Multicast list=list_ip_blocked
add address=240.0.0.0/5 comment="Class E" list=list_ip_blocked
add address=248.0.0.0/5 comment="Reserved (!255.255.255.255 Broadcast)" list=list_ip_blocked

/ip firewall address-list
add address=17.151.16.0/24 comment=time.apple.com list=list_ip_safe
add address=17.171.4.0/24 comment=time.apple.com list=list_ip_safe
add address=17.72.255.0/24 comment=time.euro.apple.com list=list_ip_safe
add address=193.204.114.105 comment=time.ien.it list=list_ip_safe
add address=193.204.114.232 comment=ntp1.ien.it list=list_ip_safe
add address=193.204.114.233 comment=ntp2.ien.it list=list_ip_safe
add address=65.55.21.0/24 comment=time.windows.com list=list_ip_safe
add address=77.242.192.0/23 comment=LogMeIn list=list_ip_safe
add address=91.189.94.4 comment=ntp.ubuntu.com list=list_ip_safe

/ip firewall address-list
add address=212.227.20.19 list=AAA_ip_virus
add address=217.160.140.127 list=AAA_ip_virus
add address=217.160.140.82 list=AAA_ip_virus
add address=82.165.25.167 list=AAA_ip_virus
add address=82.165.47.44 list=AAA_ip_virus
add address=87.255.51.229 list=AAA_ip_virus
add address=91.20.208.20 list=AAA_ip_virus
add address=93.170.88.0/21 comment=VISTNET list=AAA_ip_virus

/ip firewall address-list
add address=1.116.0.0/14 comment=SBL216702 list=AAA_ip_DROP
add address=101.192.0.0/14 comment=SBL201382 list=AAA_ip_DROP
add address=101.236.0.0/14 comment=SBL210658 list=AAA_ip_DROP
add address=101.248.0.0/15 comment=SBL204948 list=AAA_ip_DROP
add address=101.252.0.0/15 comment=SBL204949 list=AAA_ip_DROP
add address=103.10.68.0/22 comment=SBL131017 list=AAA_ip_DROP
add address=103.12.216.0/22 comment=SBL189607 list=AAA_ip_DROP
add address=103.16.76.0/24 comment=SBL209988 list=AAA_ip_DROP
add address=103.2.44.0/22 comment=SBL145400 list=AAA_ip_DROP
add address=103.246.72.0/22 comment=SBL145399 list=AAA_ip_DROP
add address=103.249.132.0/22 comment=SBL224069 list=AAA_ip_DROP

THIS IS ONLY ONE EXTRACT OF AAA_ip_DROP BECAUSE THE LIST IS VERY LONG…

list_ip_blocked = address list of IP manually/automatically added to be blocked
list_ip_safe = address list or pool of address list of IP surely safe, like 8.8.8.8, 192.168.0.0/24, etc.
AAA_ip_virus = list of ip/pool of ip used by virus, other source than spamhaus.
AAA_ip_DROP = spamhaus DROP & EDROP list of infected subnets. http://www.spamhaus.org/drop/

70.80.90.2 = Public IP address of the router.
ether1 = where the router is attached to Internet.

/ip firewall filter
add chain=input comment=“Neighbor Discovery” dst-address=255.255.255.255 dst-port=5678 protocol=udp src-port=5678
add chain=input comment=“MAC Telnet” dst-address=255.255.255.255 dst-port=20561 protocol=udp src-port=20561
add chain=input comment=“Estabilished” connection-state=established
add chain=input comment=“Related” connection-state=related
add action=drop chain=input comment=“Drop Invalid” connection-state=invalid
add action=drop chain=input comment=“Drop RPC, NetBIOS and SMB” dst-port=111,135,137,138,139,445 protocol=tcp
add action=drop chain=input dst-port=111,135,137,138,139,445 protocol=udp
add chain=input comment=“Accapt traffic from the address list list_ip_safe” src-address-list=list_ip_safe
add action=drop chain=input comment=“Drop traffic from the address list list_ip_blocked” src-address=!255.255.255.255 src-address-list=list_ip_blocked
add action=drop chain=input comment=“Drop traffic from the address list DROP” src-address-list=AAA_ip_DROP
add action=drop chain=input comment=“Drop traffic from the address list Virus” src-address-list=AAA_ip_virus

add action=jump chain=input comment=“Start protecting Public IP” dst-address=70.80.90.2 in-interface=ether1 jump-target=input_gateway
add chain=input_gateway comment=“ICMP” dst-address=70.80.90.2 in-interface=ether1 protocol=icmp
add chain=input_gateway comment=“VPN by PPTP” dst-address=70.80.90.2 dst-port=1723 in-interface=ether1 protocol=tcp
add chain=input_gateway comment=“GRE for PPTP” dst-address=70.80.90.2 in-interface=ether1 protocol=gre
add action=drop chain=input_gateway comment=“Protecting RouterBOARD Services from Internet” dst-address=70.80.90.2 dst-port=20,21,22,23,53,80,443,8728,8729 in-interface=ether1 protocol=tcp src-address-list=!list_ip_safe
add action=drop chain=input_gateway dst-address=70.80.90.2 dst-port=53,67,68,69,123,161 in-interface=ether1 protocol=udp src-address-list=!list_ip_safe
add action=drop chain=input_gateway comment=“Protecting RADIUS” dst-address=70.80.90.2 dst-port=1700,1812,1813,3799 in-interface=ether1 protocol=tcp src-address-list=!list_ip_safe
add action=drop chain=input_gateway dst-address=70.80.90.2 dst-port=1700,1812,1813,3799 in-interface=ether1 protocol=udp src-address-list=!list_ip_safe
add action=drop chain=input_gateway comment=“Protecting DUDE” dst-address=70.80.90.2 dst-port=2210,2211 in-interface=ether1 protocol=tcp src-address-list=!list_ip_safe
add action=drop chain=input_gateway dst-address=70.80.90.2 dst-port=2210,2211 in-interface=ether1 protocol=udp src-address-list=!list_ip_safe
add action=drop chain=input_gateway comment=“Protecting WinBox” dst-address=70.80.90.2 dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=!list_ip_safe
add chain=input_gateway comment=“Accept WinBox (also from Internet if "Protecting WinBox" is enabled)” dst-address=70.80.90.2 dst-port=8291 in-interface=ether1 protocol=tcp
add action=drop chain=input_gateway comment=“Drop connection try by TCP from Internet” connection-state=new dst-address=70.80.90.2 in-interface=ether1 protocol=tcp src-address-list=!list_ip_safe
add action=drop chain=input_gateway comment=“Drop connection try by UDP from Internet” connection-state=new dst-address=70.80.90.2 in-interface=ether1 protocol=udp src-address-list=!list_ip_safe
add action=return chain=input_gateway comment=“End protecting Public IP”

add chain=input comment=“ICMP” protocol=icmp
add chain=input comment=“VPN by PPTP” dst-port=1723 protocol=tcp
add chain=input comment=“WinBox” dst-port=8291 protocol=tcp
add chain=input comment=“GRE for PPTP” protocol=gre
add action=drop chain=input comment=“Drop Unclassified”

add chain=forward comment=“Neighbor Discovery” dst-address=255.255.255.255 dst-port=5678 protocol=udp src-port=5678
add chain=forward comment=“MAC Telnet” dst-address=255.255.255.255 protocol=udp src-port=20561
add chain=forward dst-address=255.255.255.255 dst-port=20561 protocol=udp
add action=drop chain=forward comment=“Attacks TCP flags and Port 0” protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward dst-port=0 protocol=tcp
add action=drop chain=forward protocol=udp src-port=0
add action=drop chain=forward dst-port=0 protocol=udp
add action=drop chain=forward comment=“Drop RPC, NetBIOS and SMB” dst-port=111,135,137,138,139,445 protocol=tcp
add action=drop chain=forward dst-port=111,135,137,138,139,445 protocol=udp
add action=drop chain=forward comment=“Drop traffic from the address list list_ip_blocked” src-address=!255.255.255.255 src-address-list=list_ip_blocked
add action=drop chain=forward dst-address=!255.255.255.255 dst-address-list=list_ip_blocked
add action=drop chain=forward comment=“Drop traffic from the address list DROP” src-address-list=AAA_ip_DROP
add action=drop chain=forward dst-address-list=AAA_ip_DROP
add action=drop chain=forward comment=“Drop traffic from the address list Virus” src-address-list=AAA_ip_virus
add action=drop chain=forward dst-address-list=AAA_ip_virus
add chain=forward comment=“Estabilished” connection-state=established
add chain=forward comment=“Related” connection-state=related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid

If someone use my rule, please add Karma.

is it benefit for ddos ? can i use it ?

When you are the victim of a DRDoS attack there is nothing you can do on your router.
You can only lobby at the ISPs of the world to implement BCP 38 (source address filtering).

can you explain me more ?