Hi guys,
My network was victim of a DDoS attack, fortunately the target was a router which don’t require a static IP, so I was able to “solve the issue” replacing the IP address. However, I would like to be prepared better if this happens next time. I’m running BGP and have firewall implemented on the routers.
Any suggestion how to prevent and stop this kind of attacks?
Thanks,
What type of DDoS was it? Give us more information.
I have same problem.. when ddos come i have 1.2gb internet and 1.2gb full usage start. what type of ddos is this ?
None has a crystal ball… Most probably it is the dns amplification attack but you should investigate yourself…
What you’re describing is most likely some kind of volumetric attack. See below for more detailed information:
http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
Volumetric attacks are very difficult to defend against once they have reached your network. The most common types of mitigation include using the BGP blackhole community of your upstream provider or purchasing DDoS mitigation from your upstream provider.
I have seen some success with Layer 2 scrubbing boxes placed in between your BGP edge router and the BGP upstream. Here is an example of one.
I tried for using the BGP blackhole community but cant. any example for this ?
Hi,
I talked with them and they say that they can protect from all ddos attack ? do you have any experince about it ? or do you hear if ServerU is working good for ddos ?
Why don’t you try the approach that Wardner Maia shown us at EU MUM?
http://mum.mikrotik.com/presentations/EU16/presentation_2960_1456752556.pdf
Hi Muqa,
is it effective on ddos ?
Thanks.
1.accept what you need only.
2.drop all.
3.be safe.
hi,
simple solution 
… can you give me some example for firewall ?
Read the MUM presentation above.
You cannot stop a DDoS attack (well at least the most common reflective/amplification attacks) by using firewall rules. Either your uplinks will get saturated or your cpu will before you stop anything.
The attack has to be stopped before it reaches your router. ie: on your upstream provider(s).
That’s where BGP blackhole community comes to play - as it is very nicely explained on the presentation.
Unless the attack is small enough so that it doesn’t saturate your uplink(s) then may be able to drop the incoming flood using firewall (by essentially absorbing the attack).
Depending on your routers they may not be able to handle the mbps and/or pps though, so eventually you may have to null route (blackhole) the IP being attacked.
In any case, DDoS mitigation is not that simple. There are numerous types of DDoS attacks that require different approaches to stop them. And when you talk about volumetric attacks then you can’t do much without blocking the attack on your upstream provider (or on your upstream’s upstream provider).
There isn’t a simple ‘copy/paste’ config to prevent them.
You need to study them, understand how they work before you can try to mitigate them.
thanks for your reply,
im new and not have enough experince as you said i should study more and need some experts help. some times they sent too much packet to 3-4 ip and sometimes they sent traffic i think. cause my wan traffic became full… i try to torch to wan interface and find which ip and sent it to my upstream provider blackhole. can we find any device or any something like autoblackhole script ? what can we do with mikrotik ? or without mikrotik ?
No experience and wanting to have everything automated. Well. First you need to understand what is going on and how it works. Then you can try to think about an automation.
Good answer…