Community discussions

MikroTik App
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Block DDoS on Prerouting chain on firewall

Fri Feb 26, 2016 9:01 pm

We are getting lots of IP Fragmentation style DDoS, Packets are marked with MF (more fragment flag) and Mikrotik is super busy in assemble packets. CPU is 100% that time.

Is there a way i can block or stop IP Fragmented packet with MF bit on Prerouting chain? But prerouting chain doesn't support "DROP" action. Why prerouting doesn't have "DROP"?

Or any other solution to stop this kind of attack??
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Block DDoS on Prerouting chain on firewall

Fri Feb 26, 2016 9:11 pm

You could make action=mark-packet new-packet-mark=dropme

and then in filter table:
chain=input packet-mark=dropme action=drop
chain=forward packet-mark=dropme action=drop

Do be aware that this could break other things that are legitimately having packet fragmentation along the path.
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Fri Feb 26, 2016 9:49 pm

You could make action=mark-packet new-packet-mark=dropme

and then in filter table:
chain=input packet-mark=dropme action=drop
chain=forward packet-mark=dropme action=drop

Do be aware that this could break other things that are legitimately having packet fragmentation along the path.
Is there a way i can mark only "MF" flag in prerouting? How do i filter fragmented packet in Prerouting chain?
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Sat Feb 27, 2016 9:08 pm

You could make action=mark-packet new-packet-mark=dropme

and then in filter table:
chain=input packet-mark=dropme action=drop
chain=forward packet-mark=dropme action=drop

Do be aware that this could break other things that are legitimately having packet fragmentation along the path.
Is there a way i can mark only "MF" flag in prerouting? How do i filter fragmented packet in Prerouting chain?
Anybody who can help?
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Mon Feb 29, 2016 4:24 pm

You could make action=mark-packet new-packet-mark=dropme

and then in filter table:
chain=input packet-mark=dropme action=drop
chain=forward packet-mark=dropme action=drop

Do be aware that this could break other things that are legitimately having packet fragmentation along the path.
Is there a way i can mark only "MF" flag in prerouting? How do i filter fragmented packet in Prerouting chain?
Anybody who can help?
Any solution?
 
dada
Member Candidate
Member Candidate
Posts: 245
Joined: Tue Feb 21, 2006 1:44 pm

Re: Block DDoS on Prerouting chain on firewall

Mon Feb 29, 2016 5:59 pm

new mangle rule/extra/[x] ip fragment

as mentioned before - fragmented traffic is perfectly legal. By dropping subsequent fragments you will probably make more problems than you solve
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Block DDoS on Prerouting chain on firewall

Mon Feb 29, 2016 8:34 pm

is important to establish if offending traffic is toward the router itself or is in transit traffic
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 3:56 pm

new mangle rule/extra/[x] ip fragment

as mentioned before - fragmented traffic is perfectly legal. By dropping subsequent fragments you will probably make more problems than you solve
are application is voice base RTP packet which data size is less than 512 bytes. We did all kind of study and finally decided we don't need fragmented packet. We run sniffer for 1 month to detect fragmented packet and we didn't find single fragmented packet. We have dual home network so i want to restrict fragment on public facing interface.

I was reading doc and its saying following for "IP Fragment" option in firewall

Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet.

We have connection tracking enabled, do you think your option will help?
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 3:57 pm

is important to establish if offending traffic is toward the router itself or is in transit traffic
Its transit traffic toward my servers.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 4:09 pm

maybe limiting specific application destination port to a max size of packet?? looks like ip firewall has the option of match ip fragments
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 7:02 pm

maybe limiting specific application destination port to a max size of packet?? looks like ip firewall has the option of match ip fragments
Here is the problem, even if i identify my packet is IP Fragmented but i want to drop then in PREROUTING chain itself. because if i block them in INPUT or FORWARD chain my CPU get 100%.

I want to stop them in PREROUTING so it won't touch routing table and get drop on door before getting in.

What do you suggest?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 7:13 pm

This won't improve your performance.
Only the forward or input chain can actually block packets. Mangle is like a paint sprayer - it can mark packets and change some interesting values on them, but it doesn't do any discarding.

Even if it did, this would not improve the performance, because the same basic actions must be taken: receive packet, identify it as a fragment, discard it. Routing table lookups are a very very very fast operation and don't take much CPU, especially when a destination is cached.
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 8:11 pm

This won't improve your performance.
Only the forward or input chain can actually block packets. Mangle is like a paint sprayer - it can mark packets and change some interesting values on them, but it doesn't do any discarding.

Even if it did, this would not improve the performance, because the same basic actions must be taken: receive packet, identify it as a fragment, discard it. Routing table lookups are a very very very fast operation and don't take much CPU, especially when a destination is cached.
Okay! Enable IP Fragment option in "Prerouting" chain to mark fragmented packet but its not matching any single packet. If i disable check mark "IP fragment" it start matching packet..

I am sending "IP Fragmented" packet using following command to test,

-x option will set "MF" bit in packet. I have tired other option ot like -f and -g but its not matching anyone. I think its different purpose for IP fragment.
hping3 -V --icmp --data 100 -x 192.168.200.2
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 8:45 pm

maybe you need a powerfull routerboard than actual??
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 9:29 pm

maybe you need a powerfull routerboard than actual??
I have CCR1036-8G-2S+ 16GB memory 32 CPUs, Does it enough?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 9:54 pm

maybe you need a powerfull routerboard than actual??
I have CCR1036-8G-2S+ 16GB memory 32 CPUs, Does it enough?
ccr1036 has 36 cpu tile cores not 32

bandwidth an pps of legitimate traffic??

bandwidth and pps of offending traffic when attacked??
 
dada
Member Candidate
Member Candidate
Posts: 245
Joined: Tue Feb 21, 2006 1:44 pm

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 9:55 pm


Okay! Enable IP Fragment option in "Prerouting" chain to mark fragmented packet but its not matching any single packet. If i disable check mark "IP fragment" it start matching packet..
As you already mentioned the problem is probably that ROS does the fragment reassembly automatically when connection tracking is enabled (i.e. when filter rules used). So you will see no packet fragment - the packet will enter the rules after it was reassembled.

So I see no solution for you here.

Note: in the past we had another type of problems with fragmented packets. On CPE stations we configure a firewall (allowing only configured SRC IPs from client, etc) and disabled connection tracking (there is no NAT and no statefull firewall). Sometimes it happened that the customer was not able to run VPNs/tunnels through the CPE. It showed that fragmented traffic was not forwarded. Explanation from MT support was that when there is any filter rule fragmented packets are dropped (it is expected that connection tracking is enabled and thus thare are no real fragments goints though rules). The problem was a little bit fuzzy because without changing the config all was working most time. After CPE restart the problem could appear or disappear. Enabling the connection tracking solved it. Later ROS versions enable the tracking automatically if filter rules are present and default settings is used.
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 11:40 pm

maybe you need a powerfull routerboard than actual??
I have CCR1036-8G-2S+ 16GB memory 32 CPUs, Does it enough?
ccr1036 has 36 cpu tile cores not 32

bandwidth an pps of legitimate traffic??

bandwidth and pps of offending traffic when attacked??
You are right, its 36 core. 100kpps and total bandwidth is 1G internet link
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Tue Mar 01, 2016 11:41 pm


Okay! Enable IP Fragment option in "Prerouting" chain to mark fragmented packet but its not matching any single packet. If i disable check mark "IP fragment" it start matching packet..
As you already mentioned the problem is probably that ROS does the fragment reassembly automatically when connection tracking is enabled (i.e. when filter rules used). So you will see no packet fragment - the packet will enter the rules after it was reassembled.

So I see no solution for you here.

Note: in the past we had another type of problems with fragmented packets. On CPE stations we configure a firewall (allowing only configured SRC IPs from client, etc) and disabled connection tracking (there is no NAT and no statefull firewall). Sometimes it happened that the customer was not able to run VPNs/tunnels through the CPE. It showed that fragmented traffic was not forwarded. Explanation from MT support was that when there is any filter rule fragmented packets are dropped (it is expected that connection tracking is enabled and thus thare are no real fragments goints though rules). The problem was a little bit fuzzy because without changing the config all was working most time. After CPE restart the problem could appear or disappear. Enabling the connection tracking solved it. Later ROS versions enable the tracking automatically if filter rules are present and default settings is used.
You are right, if connection tracking is enabled then you will never be able to find fragmented packet because it get assembly at door.

How other company handling this kind of attack?
 
dada
Member Candidate
Member Candidate
Posts: 245
Joined: Tue Feb 21, 2006 1:44 pm

Re: Block DDoS on Prerouting chain on firewall

Wed Mar 02, 2016 7:48 am

You are right, if connection tracking is enabled then you will never be able to find fragmented packet because it get assembly at door.

How other company handling this kind of attack?
I hope the fragments you want to eliminate are part of some DDoS attack. For example if the attack is made by DNS protocol you could try to filter all packes which have SRC port UDP/53. If you are lucky enough you can made exceptions for legal DNS traffic (i.e. if your customers use known set of DNS servers).
Maybe when the first packet id dropped the fragments will be dropped silently too. But maybe the logic of packet reassembly will be behaving badly inthis case too. I would ask MT support if they have solution for you.

We are not using MT for nothing else than CPE, AP. You are a proof that even 36 CPUs is not enough (if they are not effectivelly used and are not too powerful alone). You could replace the box with x86 and run ROS or Linux on it. Than you can use some accelerated NIC (which allows to distribute packets to more cores) and be able much more traffic
 
satish143
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Jan 22, 2016 9:54 pm

Re: Block DDoS on Prerouting chain on firewall

Wed Mar 02, 2016 11:51 pm

You are right, if connection tracking is enabled then you will never be able to find fragmented packet because it get assembly at door.

How other company handling this kind of attack?
I hope the fragments you want to eliminate are part of some DDoS attack. For example if the attack is made by DNS protocol you could try to filter all packes which have SRC port UDP/53. If you are lucky enough you can made exceptions for legal DNS traffic (i.e. if your customers use known set of DNS servers).
Maybe when the first packet id dropped the fragments will be dropped silently too. But maybe the logic of packet reassembly will be behaving badly inthis case too. I would ask MT support if they have solution for you.

We are not using MT for nothing else than CPE, AP. You are a proof that even 36 CPUs is not enough (if they are not effectivelly used and are not too powerful alone). You could replace the box with x86 and run ROS or Linux on it. Than you can use some accelerated NIC (which allows to distribute packets to more cores) and be able much more traffic
attacker sending traffic on RTP ports (12000-13000 UDP Port), and they mark packet with "MF" flag set with ~1500 around packet size.

In my lab i am trying to reproduce this attack using hping3 command and if i set "MF" flag and sending hell load of traffic Mikrotik CPU hitting 100%

But if i run same test on simple Linux firewall (iptables) CPU is under 1% and system is happy.. Something weird going on with Mikrotik, or its not able to use 36 CPU properly... i don't know but result is very diff
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Sat Mar 05, 2016 8:26 am

Have you informed support? What did they reply?
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Block DDoS on Prerouting chain on firewall

Thu Mar 17, 2016 9:50 am

any news on this?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Block DDoS on Prerouting chain on firewall

Mon Feb 26, 2018 6:44 pm

 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Block DDoS on Prerouting chain on firewall

Mon Feb 26, 2018 9:33 pm

Was about to say same thing: drop in RAW...

Who is online

Users browsing this forum: Ahrefs [Bot], bschapendonk, Dwemer, JohnTRIVOLTA, lurker888, sirbryan, tangent, TheCat12 and 82 guests