Syn Flood Protection for ISP

jmay · April 6, 2012, 10:55pm

I’m experimenting with the wiki example at http://wiki.mikrotik.com/wiki/DoS_attack_protection

I’ve never been attacked but I’m trying to keep it that way. We are an ISP with about 1500 current customers, many of which have email servers and web servers that they run. So when I plugged in the default limit of 400 the logs went crazy! Even at 2000 some of my customers were exheeding that. So a couple of questions. Should that be normal traffic or do these customers have some issues?

Also if I set it at say 3000 so their traffic remains the same and the logs doin’t show any exhesive connections, is that to high to protect from an attack? I’m using an RB1100ahx2 as my main router. I’m not trying to protect customers, I’m trying to protect infrastructure so if one customer gets attacked we don’t all go down. Am I going about this the right way?

savagedavid · April 7, 2012, 6:10am

It’s not unusual for clients running torrent applications to have many hundreds of connections. Can you post an export of your exact configuration? It sounds as if you might be limiting on an entire range rather than a single IP.

jmay · April 9, 2012, 10:16pm

I think you got it! I setup the firewall rule based on the above web site. What do I set to make the settings per IP? Would that be under the per connection classifer?

acim · April 9, 2012, 10:41pm

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

connection-limit (integer,netmask; Default: ) Restrict connection limit per address or address block

So, netmask should be /32 to limit per single IP, i.e.

add chain=forward protocol=tcp tcp-flags=syn connection-limit=100,32 action=drop comment=“connection limit” disabled=no

acim · April 9, 2012, 10:44pm

This is also usefull:

http://forum.mikrotik.com/t/tcp-syncookie/6487/1

jmay · April 10, 2012, 5:34pm

Thanks for the reply. I’ve already got syn cookies enabled. Is that considered good enough or should I be limiting connections?

coffeecoco · April 11, 2012, 9:53am

Ive had more than my fair share of isp level ddos attacks syn floods etc
You would be a very happy man if your isp have you a level of dropping the packets before forwarding to you, but ive seen “individuals” just smash the router the isp uses, and take out the whole isp
My best advice is , TRY your best not to get on the bad side of these ppl because its extremely hard to battle,
My personal advice is Syn cookies, Disable Icmp for outbound, hopefully they may get the hint some times your server is not responding
because they almost always send a constant ping to you to monitor there own handy work see if you went down.
They usually target services to hope to consume resources, sometimes its better to have a separate router to take the brunt of the attack, and maybe have a secondary link to your “server” ?
this can prove a little frustrating to them, if you appear, too hard they will move on.

but thats syn floods, different to torrents