Community discussions

 
dshea
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2012 12:42 am

Maxxed out CPU on CloudCore routers?

Thu Apr 05, 2018 9:26 pm

We've suffered a few brutal DDoS attacks over the last few days (not all that unusual), but we graph CPU usage on all our Mikrotiks, and the graph showed some CCR1072 routers hitting 100% CPU usage during the attack, even though normal CPU usage is below 10%. We're doing the usual review/audit and update of our firewall rules, but is that a common side effect of a DDoS? What sort of traffic could cause that kind of impact?
 
gmsmstr
Trainer
Trainer
Posts: 940
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: Maxxed out CPU on CloudCore routers?

Thu Apr 05, 2018 10:44 pm

If the router is not configured correctly, yes, but it should NOT hit 100% CPU.
Dennis Burgess, MCTCE, MTCNA, MCTCTE, MTCWE, MTCNIE, A+, N+, MCP, MTCSE Mikrotik Certified Consultant / Trainer
Need Mikrotik Support: http://www.linktechs.net -- Link Technologies, Inc.
-- Author of "Learn RouterOS: Second Edition"
 
samsung172
Forum Guru
Forum Guru
Posts: 1186
Joined: Sat Apr 04, 2009 3:45 am
Location: Østfold - Norway
Contact:

Re: Maxxed out CPU on CloudCore routers?

Thu Apr 05, 2018 11:37 pm

a missconfigured firewall could sometimes make an attack even worse. You can for example run every packet attacking trough connection tracking. Check your rule set, and what rule that have a lot of hits when under attack. Check also the profile for what "app" using your CPU resources.
 
dshea
just joined
Topic Author
Posts: 11
Joined: Thu Jan 19, 2012 12:42 am

Re: Maxxed out CPU on CloudCore routers?

Thu Apr 05, 2018 11:40 pm

Well, I grabbed my copy of Learn RouterOS 2nd Ed., and I made some changes in rule order, using Firewall Efficiencies on pg 126-127 as a guide, but I'm still not certain what was happening when the attack was going on that could have overloaded the 72-core CPU...
If the router is not configured correctly, yes, but it should NOT hit 100% CPU.
 
User avatar
jspool
Member
Member
Posts: 388
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: Maxxed out CPU on CloudCore routers?

Fri Apr 06, 2018 6:29 am

Normally one would utilize BGP blackhole or null route with your upstream provider. also dropping offending traffic in raw table so its dropped before connection tracking.

Who is online

Users browsing this forum: No registered users and 54 guests