Community discussions

MikroTik App
 
sanka
just joined
Topic Author
Posts: 4
Joined: Mon Dec 18, 2017 12:44 pm

Forwarding DDoS

Wed Jan 17, 2018 10:57 pm

I use a Mikrotik CCR1072 as network gateway,
normally this device must forward 4 gbps of traffic.
Today have an issue:

- CPU an utilization of 100% (registered from snmp)
- router inacccesible
- port-channel that flap (not evidence on the mikrotik device but on switch)-
- don't forward traffic

The main cause: a DDoS to a Router behind this gateway.

The size of ddos (registered from anti-ddos system) is 90 Mbps, 140000 pps type UDP.

No firewall rule on chain forward, only for protect CCR in input chain.

In your opinion is normal that with an attack of 90 mbps with 140k pps CCR.

Any idea as optimize the router?

thanks
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Forwarding DDoS

Wed Jan 17, 2018 11:21 pm

Probably what happened was that the DDoS attack used radomized ports and IP addresses, which overloaded the connection state tracking table on the router. If you're not using any kind of stateful features, you can disable state tracking which will reduce the load on the router in such situations in the future.
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: Forwarding DDoS

Thu Jan 18, 2018 9:34 pm

Probably what happened was that the DDoS attack used radomized ports and IP addresses, which overloaded the connection state tracking table on the router. If you're not using any kind of stateful features, you can disable state tracking which will reduce the load on the router in such situations in the future.

This may be the case however I'll speak from experiences with lovely DDoS we had, we don't use 1072s just 1036s and last year we were victims of lots of DDoS (well our "amazing" customers were).

We had attacks ranging from 100 Mbps - 2 Gbps, from just 50 kpps to 400 kpps, randomized ports, SYN floods, UDP floods, TCP fragmentation attacks, you name it, our edge routers never went on CPU spikes like this, surely they went to around 40% - 45% but that was it

Our edge routers aren't just doing BGP (towards our RR and upstreams) and regular routing, they are actively polled by our NMS and also are constantly sending netflow data.

We had a great case where an internal 1 Gbps attack (from our customer to the Internet) got catched by one of the CCRs, the techs did a lovely thing, they added like 200 queues recently including one for the src-ip of this bad customer, the queue catched the traffic and shaped it to 30 mbps (somehow they though the edge routers were the ones enforcing our policies/limits...), the only reason I noticed this was because I had an alert in the NMS about this router going at 100% CPU, the reason was the queue, removed the customer from the network and it went instantly to almost 0 load. I actually know that was the queue getting it to 100% load because I used the profile tool and showed the "queueing" as the culprit for the 100% CPU level.

We didn't lose access to the router at all, nor from Winbox, SSH, NMS didn't lose access to it, BGP kept up, the port channels kept up, this is something that surprised me a lot (and basically it was like this for around 10 minutes).

I agree that you should remove the connection tracking if you don't need it, but I don't feel like this case is normal, 100% sure the router wasn't doing something else?

I suppose the best way to know would be to try to "profile it" via a console port when this happens again (hopefully won't...).
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Forwarding DDoS

Wed Jan 24, 2018 6:51 pm

@sanka: To prevent the conntrack from tracking connections through the router, you can mark these packets as "no-track" in raw table. See https://wiki.mikrotik.com/wiki/Manual:I ... Properties

@shaoranrch: I was under the impression that a single queue is processed by a single cpu core? Is that what you meant?

Who is online

Users browsing this forum: No registered users and 21 guests