I have being developing an advance firewall for an ISP in order to mitigate as much as possible DoS and DDoS attacks. The problem started when I was testing the property dst-limit with value src-and-dst-addresses in firewall filter.
Example: to simulate attack and firewall rule behavior I use KALI to generate the attacks and some firewall rules with action= passthrough just to check the amount of data being processed by the dst-limit rule.
Here are the firewall filter rules:
Code: Select all
/ip firewall filter
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test dst-limit=10,10,src-and-dst-addresses/10s in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=accept chain=forward comment=test in-interface=ether1-wan log-prefix=""
The issue is that they are NOT matching all packets when:
1) dst-limit uses src-and-dst-addresses value
2) The amount of packet per second is high (more than 30.000 packets per second)
3) Multiple source address attacking one host
KALI command: hping3 -p 81 -2 190.107.176.253 -w 64 -i u10 --rand-source
Otherwise, if you do the same attack but from only one source this behavior does not occur.
KALI command: hping3 -p 81 -2 190.107.176.253 -w 64 -i u10 -a 3.3.3.3
Here is a video with the demonstration: https://dl.dropboxusercontent.com/u/381 ... _error.zip
I tested with CHR and x86 with 6.35.4 and 6.36rc40.
Here is the supout.rif: https://dl.dropboxusercontent.com/u/381 ... supout.rif
Best regards.