Page 1 of 1

dst-limit possible problem

Posted: Mon Jul 18, 2016 8:10 pm
by apteixeira
Hello,

I have being developing an advance firewall for an ISP in order to mitigate as much as possible DoS and DDoS attacks. The problem started when I was testing the property dst-limit with value src-and-dst-addresses in firewall filter.

Example: to simulate attack and firewall rule behavior I use KALI to generate the attacks and some firewall rules with action= passthrough just to check the amount of data being processed by the dst-limit rule.

Here are the firewall filter rules:
/ip firewall filter
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test dst-limit=10,10,src-and-dst-addresses/10s in-interface=ether1-wan log-prefix=""
add action=passthrough chain=forward comment=test in-interface=ether1-wan log-prefix=""
add action=accept chain=forward comment=test in-interface=ether1-wan log-prefix=""
As you can see the first 4 rules have action=passthrough and the rules 0, 1 and 3 are identical. It means that those three rules must match all the incoming packets.

The issue is that they are NOT matching all packets when:
1) dst-limit uses src-and-dst-addresses value
2) The amount of packet per second is high (more than 30.000 packets per second)
3) Multiple source address attacking one host

Image

KALI command: hping3 -p 81 -2 190.107.176.253 -w 64 -i u10 --rand-source

Otherwise, if you do the same attack but from only one source this behavior does not occur

KALI command: hping3 -p 81 -2 190.107.176.253 -w 64 -i u10 -a 3.3.3.3

Here is a video with the demonstration: https://dl.dropboxusercontent.com/u/381 ... _error.zip

I tested with CHR and x86 with 6.35.4 and 6.36rc40.

Here is the supout.rif: https://dl.dropboxusercontent.com/u/381 ... supout.rif

Best regards.

Re: dst-limit possible problem

Posted: Tue Jul 19, 2016 10:43 am
by macgaiver
First of all, showing your real IP in public forums will be the first thing that will get you DoS DDoS attack :)

what is your CPU load on that test?

Re: dst-limit possible problem

Posted: Tue Jul 19, 2016 3:51 pm
by apteixeira
Hello macgaiver,

Those IP are not real. They are just for LAB test and routed internally.

Regards.

Re: dst-limit possible problem

Posted: Fri Sep 06, 2019 5:36 pm
by alisb
how detect and protect my router from hping?

Re: dst-limit possible problem

Posted: Fri Sep 06, 2019 8:24 pm
by sebastia
only allow them at specified rate, drop rest