Script Request - Flooding

nmthaker · February 25, 2013, 9:14am

Dear Sir,

We are facing issue of flooding so i need script in which if any user request comes more then 10 times or example 50 times in 10sec or in 1 sec that mac address should require to be in firewall

so is there any rule or script which can help me to prevent from flooding

Nishit

jgellis · February 25, 2013, 5:54pm

Your message asks how to block traffic by MAC, though I’m not certain why you wouldn’t filter by IP.

If you are looking to filter by IP see the writeup on DDoS Detection for ideas: http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking

If you are looking to filter by MAC, then you will need a script to further process the results produced similar to above:

create a firewall filter rule that contains the matcher criteria you require (i.e. connection-limit, limit, dst-limit or psd) with an action=add-src-to-address-list

/ip firewall filter
add chain=input action=add-src-to-address-list address-list=FloodIP address-list-timeout=30m connection-state=new in-interface=ether1 dst-limit=32,32,src-and-dst-addresses/10s
add chain=forward action=add-src-to-address-list address-list=FloodIP address-list-timeout=30m connection-state=new in-interface=ether1 dst-limit=32,32,src-and-dst-addresses/10s

create a scheduler script to process the address list entries and convert them into Firewall filters for each mac-address, schedule this for a frequency that meets your needs (maybe 1 minute), which contains:

:foreach entry in=[/ip firewall address-list find list=FloodIP] do={
   :local ip [/ip firewall address-list get $entry ip]
   :local mac [/ip arp get [/ip arp find address=$ip] mac-address]
   :local currenthour [:pick [/system clock get time] 1 2]
   :if ($currenthour>21) do={
      :local cleanuphour ([:pick [/system clock get time] 1 2]-22)
      /ip firewall filter add chain=input action=drop in-interface=ether1 src-mac-address=$mac comment="Remove at hour: $cleanuphour"
      /ip firewall filter add chain=forward action=drop in-interface=ether1 src-mac-address=$mac comment="Remove at hour: $cleanuphour"
   } else={
      :local cleanuphour ([:pick [/system clock get time] 1 2]+2)
      /ip firewall filter add chain=input action=drop in-interface=ether1 src-mac-address=$mac comment="Remove at hour: $cleanuphour"
      /ip firewall filter add chain=forward action=drop in-interface=ether1 src-mac-address=$mac comment="Remove at hour: $cleanuphour"
   }
   /ip firewall address-list remove $entry
}

create another scheduler script to cleanup the firewall mac filter entries (lest the filters list grow too large, they will have additional filters automatically created if the flood is still active), schedule this for the beginning of every hour, which contains:

:local currenthour [:pick [/system clock get time] 1 2]
   /ip firewall filter remove [find comment="Remove at hour: $currenthour"]

The above examples are not complete, you still need to update them with correct matching criteria, list names, etc. The mac-address method seems overly complex and resource intensive. Great justification why this is more important than IP filtering would need to be considered.