Community discussions

 
anav
Forum Guru
Forum Guru
Topic Author
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Rate Limiting new connections

Tue Jul 16, 2019 7:13 pm

• Rate-limiting for each new TCP connection
• Rate-limiting for each new UDP connection

How do these configuration setups prevent attacks on ones Router?
What are the drawbacks?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Rate Limiting new connections

Tue Jul 16, 2019 8:45 pm

that's a wide subject...

the mechanics
* limit (https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter) will match as long as conditions as specified are met. And so needs to be followed by rule for "when not".
* it's only one of conditions and needs other to be useful, ex: connection-state=new / tcp.flag=syn + limit => control new connection rate to some resource
* it's a condition and available in all 4 tables (raw,nat,mangle,filter)

you can use it to impose all kinds of rate limiting, not only "new"

UDP is connectionless (https://en.wikipedia.org/wiki/User_Datagram_Protocol) there is no state (state within RouterOs is based on its own tracking (first/last seen + timeouts), not supported by protocol)
TCP is connection oriented and state is supported by protocol

Limiting UDP works, but he TCP apparently not so much, see viewtopic.php?f=2&t=126354
But that also depends on where it's applied: if in "filter" a lot of logic will already by performed on that packet. If in "raw" with "tcp.flags=syn", nothing else except "hotspot-in"
(https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6)
 
anav
Forum Guru
Forum Guru
Topic Author
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Rate Limiting new connections

Wed Jul 17, 2019 3:17 am

Let me rephrase the question. If the advice was solid and logical then it would be in everyones config! Its not on the basic firewall config from the vendor and I have not really seen much interest expressed in this approach, so does it have limited scope?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Rate Limiting new connections

Wed Jul 17, 2019 12:25 pm

Default soho config doesn't allow any traffic initiated from outside. So if not hosting anything it's not needed.

If internal resources are accessible, then it might be sensible to do such limiting, if the resource is sensitive.
So no silver bullet, and "it depends"

Update: I assume a "trust" in internal network, so no limiting there. Depending on how much / little one controls network, limiting might be relevant, ex guest network.
 
anav
Forum Guru
Forum Guru
Topic Author
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Rate Limiting new connections

Thu Jul 18, 2019 1:23 am

Awesome so on a closed system, its not really required.
If I have port forwarding selected then it may be smart for me to rate limit the traffic/access to those devices (currently limited by access list and the devices required password login etc).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 17 guests