Hi to all…
I am interested does anyone have any real life experience with Mikrotik and DDOS and how Mikrotik behave while he is under DDOS. I know Mikrotik is not a silver bullet, but I would like to know what he is capable of.
Is it better to get appliance or to use server grade x86 machines? How about a Cloud core routers? How does he compares to some Cisco routers.
I have great experience in Mikrotik in wireless and SOHO environment but on this level I dont have any…
Big client of mine is thinking about switching to Mikrotik in his datacentre, but I dont have any data to give him…
Thank you…
If you know whats going on. mikrotik is a “silver bullet”. Almoust evrything you want is possible. And if you know how ddos is affecting you, its possible to stop on a mikrotik.
Do you have a real experience? Appliance or pc? What was the size of attack that you were under?
anyone else? real life experience?
Real life experience from this thread http://forum.mikrotik.com/t/ddos-story-or-warning-use-conection-limit-with-caution/49743/1
Anyway, use cloud core routers for production environments and you don’t have to worry for compatibility issues on x86 machines. Plus, router have more ports.
Are your routers going to face the public internet to make you worry about DDoS attacks?
My real life experience is very easy:
My 2 firewall are RB1100AH, some DoS and DDoS attakc received: no one single crash in my network (only less bandwidth available, obviously).
No connection count on firewall, only this rules:
http://forum.mikrotik.com/t/for-isp-how-to-really-block-invalid-icmp-tcp-udp-packets-and-others-ver-2021/75627/1
in addiction to all service on ip/service disabled except for winbox (in other port than default 8291)
About DoS or DDoS generathed isnide my network:
Each CPE has inside it’s own Queue and Firewall for that purpose, on the wireless link and on my network, the traffic generating from the CPE must respect the bandwidth limit of the client, instead to traverse all the network and Queued from Gateway.
rextended thank you for your experience, what was magnitude of DDOS attack? and how much bandwidth did you have and how much did bandwidth did the DDOS take?
I am also interested in scenario where a LOT of small packets hit Ethernet card, that it would slow down whole mikrotik, would it be possible to access mikrotik from another interface that is not under attack…for that scenario is it better PC or appliance?
Chupaka wrote about stopping some major DDoS some time ago. Try to find that post.
Thank you, I read that post, but that is one solution, but I need some numbers, and was it a pc or appliance…
I will to pm him 
Right:
On my rack:
2 x guaranted 100Mbps bi-directional from MUX Milano (Milan) by InteRoute → cross connected on RB1100AH “A” and RB1100AH “B”
2 x guaranted 100Mbps bi-directional from MUX Roma (Rome) by InteRoute → cross connected on RB1100AH “B” and RB1100AH “A”
4 x RB1100AHx2 “C/D/E/F” Gateway, each connected on both Router 1100AH “A/B” the load balancing and failover happen here
1 x RB1100AHx2 “Spare” connected on each bypass of all RB1100AH / RB1100AHx2 (ether12) and directly to both Router “A/B”
Each Backbone start from ether11 on “C/D/E/F” and have backup on ether10
2 x RB1200 “G/H” connected on all mentioned device before, as DNS server 1 & 2 and NTP server 1 & 2
1 x RB1200 “I” for HotSpot services, if fail “Spare” take control.
1 x Windows XP for logging, connected only on C/D/E/F/I/Spare
1 x x86 (RouterOS) for User Manager, if fail “D” take charge (“D” have less users than other) connected only on C/D/E/F/Spare
1 x Windows Server 2003 for some Webistes connected on both “A” and “B”
1 x Windows Server 2008 for backup of Websites [actually one by one migrated from 2003] on both “A” and “B”
Usually DDoS or DoS attack not block my network, because if one of connection go to full inbound, there are other 3 links with other range of IP addresses, fully working.
The DDoS take all the inbound bandwidth.
Usually I call InteRoute, and he stop routing such type of traffic on my inbound fiber, and adfter all go normal.
My clients can not notice if one of 4 inbound fiber fail for reach the max througput.
InteRoute is NOT forwarding traffic to another fiber if one of my 4 lines are busy for DDoS or disconnected. I want it in this way.