Rate Limiting new connections

RouterOS Beginner Basics
1

• Rate-limiting for each new TCP connection
• Rate-limiting for each new UDP connection

How do these configuration setups prevent attacks on ones Router?
What are the drawbacks?

2

that’s a wide subject…

the mechanics

  • limit (https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter) will match as long as conditions as specified are met. And so needs to be followed by rule for “when not”.
  • it’s only one of conditions and needs other to be useful, ex: connection-state=new / tcp.flag=syn + limit => control new connection rate to some resource
  • it’s a condition and available in all 4 tables (raw,nat,mangle,filter)

you can use it to impose all kinds of rate limiting, not only “new”

UDP is connectionless (https://en.wikipedia.org/wiki/User_Datagram_Protocol) there is no state (state within RouterOs is based on its own tracking (first/last seen + timeouts), not supported by protocol)
TCP is connection oriented and state is supported by protocol

Limiting UDP works, but he TCP apparently not so much, see http://forum.mikrotik.com/t/tcp-syn-flood-attack-causing-high-cpu/112864/1
But that also depends on where it’s applied: if in “filter” a lot of logic will already by performed on that packet. If in “raw” with “tcp.flags=syn”, nothing else except “hotspot-in”
(https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6)

3

Let me rephrase the question. If the advice was solid and logical then it would be in everyones config! Its not on the basic firewall config from the vendor and I have not really seen much interest expressed in this approach, so does it have limited scope?

4

Default soho config doesn’t allow any traffic initiated from outside. So if not hosting anything it’s not needed.

If internal resources are accessible, then it might be sensible to do such limiting, if the resource is sensitive.
So no silver bullet, and “it depends”

Update: I assume a “trust” in internal network, so no limiting there. Depending on how much / little one controls network, limiting might be relevant, ex guest network.

5

Awesome so on a closed system, its not really required.
If I have port forwarding selected then it may be smart for me to rate limit the traffic/access to those devices (currently limited by access list and the devices required password login etc).