As Mikrotik doesn’t want to support Flow-Spec, I’m looking into what we can do to work around that.
How scalable are address-lists? Say I have a DDoS detection appliance that drops offending IPs into an address list. Say it puts 10k, 100k, 500k IPs in there during an attack. Would ROS on a reasonable platform handle it well? It’d be going to a firewall rule similar to:
/ip firewall raw
add action=drop chain=prerouting dst-port=53 protocol=udp src-address-list=UDP_53
I don’t know specifically what actions as I haven’t implemented the detection appliance yet to know exactly how it would classify each attack and thus how to mitigate. I’d have one of these for each type of attack.
- syn_flood: TCP packets with enabled SYN flag
- udp_flood: flood with UDP packets (so recently in result of amplification)
- icmp flood: flood with ICMP packets
- ip_fragmentation_flood: IP packets with MF flag set or with non zero fragment offset
- DNS amplification
- NTP amplification
- SSDP amplification
- SNMP amplification
Would a CCR1036-8G-2S+ or CCR1072-1G-8S+ be sufficient or am I looking at CHR on a stout x86 box? I would already have CHRs up for the main routing. I’d likely have these scrubbing boxes setup on the side and trigger a new route from the PEs to the scrubbing boxes for the affected IPs. Other traffic would pass through the normal paths to their destinations, without the encumbrance of the scrubbing box.