Correct way of protecting from SYN ?

soamz · Tue Jun 21, 2016 3:28 am

I can see my developer had done this to my core router.

Screenshot_5.png

But I found this in a forum thread,
"

add action=jump chain=forward comment="SYN Flood protect" disabled=no \
    jump-target=SYN-Protect protocol=tcp tcp-flags=\
    syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=accept chain=SYN-Protect comment="" disabled=no limit=X,Y \
    protocol=tcp tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=drop chain=SYN-Protect comment="" disabled=no protocol=tcp \
    tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr

Now, Im confused.
Whether to keep what I have now or copy paste the above code directly ?

soamz · Tue Jun 21, 2016 3:28 am

And whether those rules should be on border or core or PPPoE router ??

ironman820 · Wed Jun 22, 2016 6:54 pm

If concerned about syn flooding, those rules should be on any router with a public IP address. With one huge recommendation, set up a test router with your PPPoE setup and make sure the rules don't block any PPPoE traffic they're not supposed to (I'm not familiar with PPPoE, but I have enabled rules that have had major effects on our traffic).

As far as if the rules are set up properly, check the rules to see if the flags are set properly, or to make it easier, you could just export the config for your firewall filter and compare it to the rules you are looking at:

/ip firewall filter
export

soamz · Wed Jun 22, 2016 6:56 pm

So the rule is correct ?
Did you see it full ?

And it should be in all the microtik routers ?
Yes, all of my routers are with public IP always.

ironman820 · Wed Jun 22, 2016 7:25 pm

So the rule is correct ?
Did you see it full ?

The rule appears to be correct, but Winbox does not show everything on the line display, if you want to post the output of those lines after running the code I posted, I can say that they are correct.
The other thing I'm seeing is since you are using PPPoE behind a router, you might want to consider changing the "limit" parameter to "dst-limit" as described in this post:
Does the SYN protect chain really protect anything?
So the code would be:

add action=jump chain=forward comment="SYN Flood protect" disabled=no \
    jump-target=SYN-Protect protocol=tcp tcp-flags=\
    syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=accept chain=SYN-Protect comment="" disabled=no dst-limit=X,Y \
    protocol=tcp tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=drop chain=SYN-Protect comment="" disabled=no protocol=tcp \
    tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr

soamz · Wed Jun 22, 2016 8:19 pm

Okay in all routers, use the same code
But in PPPoE routers only, change to dst

ironman820 · Wed Jun 22, 2016 9:48 pm

That would be the route I would take.

soamz · Wed Jun 22, 2016 9:54 pm

Thanks.
I think I will first add it to the border routers and then the core and then will add to PPPoE router after 2-3 days.

soamz · Sat Jul 30, 2016 11:41 am

Added to border router but it doesnt seem to be getting the packets.
Looks like some issue.

Correct way of protecting from SYN ?

Correct way of protecting from SYN ?

Re: Correct way of protecting from SYN ?

Re: Correct way of protecting from SYN ?

Re: Correct way of protecting from SYN ?

Re: Correct way of protecting from SYN ?

Re: Correct way of protecting from SYN ?

Re: Correct way of protecting from SYN ?

Re: Correct way of protecting from SYN ?

Re: Correct way of protecting from SYN ?

Who is online