Community discussions

 
rodolfo
Long time Member
Long time Member
Topic Author
Posts: 543
Joined: Sat Jul 05, 2008 11:50 am

detect new connection without tracking

Wed Nov 06, 2019 5:57 pm

Hi.
To build a protection for syn flood attack, is it possible to consider "new connection" incoming packets with syn flag without using connection-new filter?
The goal is to avoid the use of tracking, to ban source/destination ip causing the flood.
Thanks
rodolfo
IZ0UQV
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: detect new connection without tracking

Wed Nov 06, 2019 6:55 pm

You can create /ip firewall raw filter and as selection criteria use tcp-flags=syn or something.

AFAIK raw firewall rules don't work off connection states ...
BR,
Metod
 
rodolfo
Long time Member
Long time Member
Topic Author
Posts: 543
Joined: Sat Jul 05, 2008 11:50 am

Re: detect new connection without tracking

Wed Nov 06, 2019 7:41 pm

Thanks.
I try to explain better.
Filtering packets in raw, using only the [flag syn] filter,
is the same as filtering packets in forward using the [connection new] filter?
One packet with syn flag identifies always a new connection attempt?
rodolfo
IZ0UQV
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: detect new connection without tracking

Wed Nov 06, 2019 8:12 pm

That's basics of TCP connection set-up: client sends server packet with SYN flag set and with empty payload. Server replies using packet with SYN and ACK flags set and empty payload. Client then replies with ACK flag set, payload still missing. This concludes "three-way TCP connection setup" and now TCP connection is established. ROS' statefull firewall follows this handshake (seeing first packet the connection is new, remains new during first reply).
Immediately after third packet (ACK without payload) client sends first packet with non-empty payload.

UDP doesn't have connection state (same way as TCP), so ROS makes some shortcuts to get some connection state (I guess it still expects to see some replies to upgrade connection state from new to established) ...
BR,
Metod
 
msatter
Forum Guru
Forum Guru
Posts: 1281
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: detect new connection without tracking

Wed Nov 06, 2019 11:12 pm

And to add, detect sync and add all the other flags and tick the box to have exclamation mark for all except for sync.
UDP you can only detect in Filter because Connection table knows if the connection is New.
You can put it then the block address list and block it in RAW.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta59 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
rodolfo
Long time Member
Long time Member
Topic Author
Posts: 543
Joined: Sat Jul 05, 2008 11:50 am

Re: detect new connection without tracking

Thu Nov 07, 2019 9:03 am

thanks

hence, the following code in the wiki:
ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop
could be written as:
/ip firewall raw add chain=prerouting protocol=tcp tcp-flags=syn action=jump jump-target=SYN-Protect (using correct ! to exclude other flags)
/ip firewall raw add chain=SYN-Protect limit=400,5 action=accept
/ip firewall raw add chain=SYN-Protect action=drop
?

Thanks
rodolfo
IZ0UQV
 
msatter
Forum Guru
Forum Guru
Posts: 1281
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: detect new connection without tracking

Thu Nov 07, 2019 1:46 pm

could be written as:
    /ip firewall raw add chain=prerouting protocol=tcp flags=!fin,!rst,!psh,!ack,!urg,!ece,!cwr limit=!400,5:packet action=drop
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta59 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)

Who is online

Users browsing this forum: MSN [Bot] and 107 guests