Hello,
Firstly, I’m using ROS for basic routing on my private network, thanks to developers for this wonderful software.
Question:
Is it possible with RouterOS to detect and block SYN floods received from spoofed ip addresses without having the normal traffic to target host blocked? If so, how? (please share filter rules)
Because:
My firewall configuration can block syn attacks from single source with no problems.
But lately, I’m receiving 10~15k syn packets at ~20Mbit/s, each from different (spoofed) ip addresses (yes, there are about 10k of spoofed ips). Only thing I can do is to drop the attacks by rate (dst-)limiting, eventually making any connections to target host impossible, thus it becomes unreachable.
If attacks are not dropped, they can cause the routers cpu usage go up to %100, then timeouts occur. In both situations attacker gets what he/she desires to.
Do I have to buy one of those expensive firewalls in order to prevent this kind of attacks? (Please say no)
Any helps or suggestions would be appreciated.
Thanks in advance.