Using Scripting Anti DDOS!

maozilee · May 9, 2010, 2:48am

hello.

I have a good idea to reduce DDOS attack to RouterOS.

when DDOS attack happening , IP->Firewall->Connections from one src-address increasing very fast (more than 100 connections per a second) ,it makes cpu useage up to 99%!

My solution is write a script which check cpu useage ,when cpu up to 90% then check Connections count from every src-address..find out which address is the largest one,push it into black_list!!

the problem i have is :

How to check connections count from every src-address using Scripting???

ditonet · May 9, 2010, 7:16pm

Read in Wiki article about ‘connection-limit’:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
But in case of DDoS your router is attacked from many different addresses

Regards, Grzegorz.

normis · May 10, 2010, 6:45am

I hope mrz will post about the scripting aspect, but general ideas about DoS: http://wiki.mikrotik.com/wiki/DoS_attack_protection

mrz · May 10, 2010, 6:53am

Script will be too slow to check thousands of connection table entries, especially if CPU usage is already 90%.

ditonet · May 10, 2010, 7:56am

Hi,

Two weeks ago one of my customers was a target of DDoS attack.
They have 2Mbit DSL line and RB750.
Firewall is configured that every unwanted connection from WAN side is tarpitted, not dropped.
During four houres there was over one million connections from WAN.
Max CPU load was 9%, available RAM ~50%.
In this battle MikroTik was a winner

Regards, Grzegorz.

maozilee · May 10, 2010, 2:43pm

I want explain why i want to use scripting to solve ddos attack from intranet!

When ddos happening, i could check connection table manually,then put the MAC address to black list! drop it!

So ,I think that if i could solve it manually ,why not make RouterBoard solve it automatically?

let me show my graphs:

fewi · May 10, 2010, 2:58pm

ditonet · May 10, 2010, 9:45pm

@maozilee
ddos attack from intranet
Why won’t you limit connections per user?

Regards, Grzegorz.

maozilee · May 11, 2010, 7:01am

you could try to do limit connections per user in RouterOS hotspot and non-authenticated (just a redirect to login page web DOS ATTACK!) environment！

I have tried many times, it doesn’t work well! T

janisk · May 11, 2010, 10:11am

and script will just help the attackers to saturate CPU.

protection from DoS and DDoS should be permanent and at lest help a bit, not load system even more.