Page 1 of 1

DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Tue Aug 30, 2011 12:05 pm
by Chupaka
Sunday and Monday were horrible days...

It was the first time our network became the source of DDoS attack. TechSupport woke me up at about 13:00 - users were complaining about very slow Internet access with high packet drop rate. Guess what I did first? Yes, after a few minutes I rebooted the router :) And guess what? After reboot, the picture stayed the same. Even pinging router's address (or 127.0.0.1) from the router itself was showing 200-500ms RTT with 50% of timeouts.

After about fifteen minutes of searching and trying I identified that the reason was my firewall filter fules for limiting the number of simultaneous TCP connections per user: they were showing high rate of dropped packets, and when I was disabling them, router was becoming stable again.

It appeared that some kind of virus or botnet on customers' computers was attacking single IP address (some Lineage II game server) by creating huge number of HTTP requests to the host (when I blocked any packets to that server, filter rule was dropping about 4000 new connections per second). So, when 'connection-limit' matcher was trying to count active user's connections a few thousand times per second, it was killing the router completely.

In Monday, attacked IP addresses changed, so this horror returned back :) After a dozen of minutes I came to this solution:
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
It dynamically creates two address lists: attackers ('ddoser') and attacked hosts ('ddosed'), and blocks packets from the former to the latter. Works like a charm =)

Hope this will help somebody to protect his routers from flooding...

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Tue Aug 30, 2011 12:37 pm
by MRMISSY
that is nice
thanks for sheering

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Tue Aug 30, 2011 5:53 pm
by MCT
+1 for a detection based solution rather than just blocking ports.

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Dec 24, 2011 1:11 am
by mh76bih
hi, i have same problem.,but those scripts des not help me.
all day i have problem from one ip have attack on whole subnet 512 ip addresses.
any idea how to resolve this problem.
attack comming from 50006 port tcp protocol
thanks

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Dec 24, 2011 9:27 am
by MCT
You shouldn't bump really old threads, it's considered bad forum etiquette.

That aside since all of your issues are from a single address simply create a rule to drop all traffic from that IP.

I looked up the source IP in a security database and it's a frequent offender for attacking networks. I always prefer a detection based solution but in your situation I'd block that IP at the edge of my network.

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Dec 24, 2011 9:46 am
by mh76bih
now its happen again, any solutions, pls

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Dec 24, 2011 10:14 am
by MCT
No one will be able to help unless you post detailed information about the traffic. The most helpful thing would be to do a packet capture of the traffic and post it.

If the attack address shifted then the alternate approach would be to create a queue rule to throttle the traffic down to a trickle. Most automated attack tools won't shift if the connections are still open.

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Dec 24, 2011 3:00 pm
by Chupaka
select 'Protocol' and 'Port', there's not so much info to help you. what port of 115.238.184.5 is attacked?

are you dropping invalid connections in firewall filter?

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Dec 24, 2011 7:05 pm
by mh76bih
protocol is tcp source ip :115.238.184.5, source port 50006
when that happen i have traffic allmost on all public ip in subnet /23 around 360kbps per ip
and upload on my network is 90-150Mbps.

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Dec 24, 2011 8:27 pm
by Chupaka
so the traffic is from 109.175.20.0/24 to 115.238.184.5:50006 - what are those addresses? is there some service at 115.238.184.5:50006?

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sun Dec 25, 2011 1:53 am
by mh76bih
109.175.20.0/23 is my network, attack comming from 115.238.184.5 port 50006 protcol tcp

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Mon Dec 26, 2011 2:27 pm
by Chupaka
according to your screenshot, it's your network who attacks 115.238.184.5:50006 (without any response, btw)

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Mon Dec 26, 2011 3:25 pm
by dingsingo
@Chupaka


++1

THx's

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Mon Dec 26, 2011 5:53 pm
by THG
The Tech Support woke you up at 13:00, so cruel indeed! :shock:

Anyway, thanks for sharing your experience with us, Chupaka!

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Mon Dec 26, 2011 11:34 pm
by Chupaka
The Tech Support woke you up at 13:00, so cruel indeed! :shock:
well, maybe better English version would be "at 13:00 a.m." :D

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sun Jan 22, 2012 10:53 am
by spektrumzx
I tested those setting and I get between 2000-5000 addresses in list as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,

Sunday and Monday were horrible days...

It was the first time our network became the source of DDoS attack. TechSupport woke me up at about 13:00 - users were complaining about very slow Internet access with high packet drop rate. Guess what I did first? Yes, after a few minutes I rebooted the router :) And guess what? After reboot, the picture stayed the same. Even pinging router's address (or 127.0.0.1) from the router itself was showing 200-500ms RTT with 50% of timeouts.

After about fifteen minutes of searching and trying I identified that the reason was my firewall filter fules for limiting the number of simultaneous TCP connections per user: they were showing high rate of dropped packets, and when I was disabling them, router was becoming stable again.

It appeared that some kind of virus or botnet on customers' computers was attacking single IP address (some Lineage II game server) by creating huge number of HTTP requests to the host (when I blocked any packets to that server, filter rule was dropping about 4000 new connections per second). So, when 'connection-limit' matcher was trying to count active user's connections a few thousand times per second, it was killing the router completely.

In Monday, attacked IP addresses changed, so this horror returned back :) After a dozen of minutes I came to this solution:
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
It dynamically creates two address lists: attackers ('ddoser') and attacked hosts ('ddosed'), and blocks packets from the former to the latter. Works like a charm =)

Hope this will help somebody to protect his routers from flooding...

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sun Jan 22, 2012 6:39 pm
by omidkosari
Thanks for sharing your knowledge and experience .

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Mon Jan 23, 2012 10:25 pm
by spektrumzx
I tested those settings and I get between 2000-5000 addresses in lists as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Fri Jan 27, 2012 11:55 am
by Chupaka
I tested those settings and I get between 2000-5000 addresses in lists as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,
is everything else working normally? are 'ddoser's your addresses, or some Internet ones?

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Fri Jan 27, 2012 1:58 pm
by spektrumzx
I tested those settings and I get between 2000-5000 addresses in lists as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,
is everything else working normally? are 'ddoser's your addresses, or some Internet ones?
I hope that I have good feedback so everything else looks fine. Right now I have about 540 PPPoE connection and 1600 ddoser's in list all some internet addresses except two of them that my.
Also I have a rule before this, with limit the number of tcp connections on 150 per user.

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Tue Apr 24, 2012 7:54 pm
by guilhermeramires
I tested those settings and I get between 2000-5000 addresses in lists as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,
Probably you have some nat mascared rules in the LAN. So all ip address come from only one host natted. The solution is you
route your LAN and remove the NATs rules, ok?

Regards.

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Fri Jun 22, 2012 3:28 pm
by angboontiong
Dear Chupaka...
This cannot put in the Wireless link which before the EOIP...

else, it will drop the EOIP connection as we found today...
seem we should put another access rules in front of this to allow the peer EOIP ip address to skip on this check...

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Fri Jun 22, 2012 10:54 pm
by Chupaka
seem we should put another access rules in front of this to allow the peer EOIP ip address to skip on this check...
yep, check this: http://wiki.mikrotik.com/wiki/DDoS_Dete ... d_Blocking
there I added a note about exceptions

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Jun 23, 2012 12:26 am
by Dobby
Deleted because not related.

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Jun 23, 2012 5:03 am
by spire2z
One way to not be woken by tech support is to never sleep!

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Jun 23, 2012 2:37 pm
by Chupaka
Dobby, the rules above will not match against the behaviour you described. actually, they detect DoS, so each game server will be examined separately. moreover, game server won't generate dozens of packets on initial connection :)

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Jun 23, 2012 3:18 pm
by Dobby
Deleted because not related.

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Jun 23, 2012 7:49 pm
by Chupaka
thanks for sharing your concern, but in my example I use 'forward' chain - there all addresses are de-NAT-ted, and router knows, which client should receive the packet - there's no 'address of the router' already

main problem I faced is 'bad' websites which block HTTP keep-alive connections, and for opening one page with many small pictures user creates about 30-60 TCP connections... but blocking such sites should be avoided by using 'burst' in 'dst-limit' matcher

p.s. no, at endpoint we use customers' PCs - we are Ethernet provider :)

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Fri Aug 10, 2012 4:59 pm
by Kiken
Hi man, i've just added this rule to my MK Router:

/ip firewall filter

add chain=forward connection-state=new action=jump jump-target=block-ddos

and its showing as invalid, any ideas on what should be wrong??

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Mon Aug 13, 2012 3:53 pm
by Chupaka
it's because your 'block-ddos' chain is empty. add another rules - and everything will be okay

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Mon Jan 13, 2014 12:46 am
by daived
Hi, sorry for this post, the topic is very old, but:
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m disabled=yes
What router will write in this list? My local ip what is ddosed now? If i currently have only one active IP, i need this rule?
So for me its working like 'ddoser' are blocked from 'ddosed' IP, this need only if i have many IPS, but if only one?
Thanks!

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Mon Jan 13, 2014 3:07 am
by Chupaka
daived, if you re-read the first post, you can see that 'ddosed' addresses can be not only your local users, but remote hosts (when some botnet is running on your customers' PCs). also, router's addresses won't be detected, as that traffic is in 'input' chain of firewall, and my rules catch 'forward' traffic

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Feb 19, 2014 3:28 pm
by NumLock
This help a lot to prevent attackers eat my bandwidth fist attack was 100mbps on icmp and UDP (17) and hang my MK.
The rule works properly but after few hours to deploy customer was unable to browse or access to the internet I just add in-interface=ether1 (My ether1 is the wan interface) and problem solve my question is:

Is this is right to add the input interface?
Here is my complete rule:

/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new \
disabled=no jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no \
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new \
disabled=no dst-address-list=ddosed in-interface=ether1 src-address-list=\
ddoser

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Feb 19, 2014 6:46 pm
by plisken
Thanks Chupaca it is a usefull solution.
Karma +1

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Feb 19, 2014 9:57 pm
by Chupaka
NumLock, you'd better add in-interface= matcher to the first rule. in your implementation, it blocks only incoming packets, but detects (D)DoS in both directions - probably, unnecessary additional work

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Feb 19, 2014 10:19 pm
by NumLock
Like this: ?

/ip firewall filter

add action=jump chain=forward comment=Detect-Ddos connection-state=new \
disabled=no in-interface=ether1 jump-target=detect-ddos


add action=return chain=detect-ddos comment=Detect-Ddos disabled=no \
dst-limit=32,32,src-and-dst-addresses/10s

add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no

add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no

add action=drop chain=forward comment=Detect-Ddos connection-state=new \
disabled=no dst-address-list=ddosed in-interface=ether1 src-address-list=\
ddoser

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Feb 19, 2014 10:26 pm
by Chupaka
yep, and remove in-interface=ether1 from the last rule

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Fri Feb 21, 2014 5:46 pm
by NumLock
Thanks this help a lot. Over 20,000 IP has been ban. Last configuration work so far so good:

/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new \
disabled=no in-interface=ether1 jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no \
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new \
disabled=no dst-address-list=ddosed src-address-list=ddoser

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Tue Feb 25, 2014 6:55 pm
by NumLock
/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new \
disabled=no in-interface=ether1 jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no \
dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos comment=DOS-Exceptions disabled=no \
src-address-list=DOS-Exceptions

add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new \
disabled=no dst-address-list=ddosed src-address-list=ddoser

With this rule in blue I can make exceptions?

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Feb 26, 2014 3:15 pm
by Chupaka
yes, but you'd better place it as a second rule, not third, so that router doesn't need to check limits for the traffic that will never be added as a 'ddoser' :)

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Feb 26, 2014 3:31 pm
by NumLock
Is there way to make the rule less sensitive? Yesterday I browse on my web server and my Firefox hangs and retry to many times and I flag as a ddoser.

Thanks!

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Feb 26, 2014 4:04 pm
by Chupaka
dst-limit=32,32 is what you're looking for. try to change it to dst-limit=32,256 for higher burst

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Mar 29, 2014 4:39 pm
by dorijan
sorry to hijack your post, can you give us some details about size of that attack(bandwidth) and what router(s) did you have? PC or appliance...
thank you...

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Apr 02, 2014 5:55 pm
by Chupaka
PC routers, different attacks - sometimes upto 200 Mbps is blocked from customers to the internet :)

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Tue Jun 24, 2014 3:05 pm
by juanvi
Is this suitable for INPUT chain. Has any sense? I think the router can be the objetive too.
Sunday and Monday were horrible days...

It was the first time our network became the source of DDoS attack. TechSupport woke me up at about 13:00 - users were complaining about very slow Internet access with high packet drop rate. Guess what I did first? Yes, after a few minutes I rebooted the router :) And guess what? After reboot, the picture stayed the same. Even pinging router's address (or 127.0.0.1) from the router itself was showing 200-500ms RTT with 50% of timeouts.

After about fifteen minutes of searching and trying I identified that the reason was my firewall filter fules for limiting the number of simultaneous TCP connections per user: they were showing high rate of dropped packets, and when I was disabling them, router was becoming stable again.

It appeared that some kind of virus or botnet on customers' computers was attacking single IP address (some Lineage II game server) by creating huge number of HTTP requests to the host (when I blocked any packets to that server, filter rule was dropping about 4000 new connections per second). So, when 'connection-limit' matcher was trying to count active user's connections a few thousand times per second, it was killing the router completely.

In Monday, attacked IP addresses changed, so this horror returned back :) After a dozen of minutes I came to this solution:
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
It dynamically creates two address lists: attackers ('ddoser') and attacked hosts ('ddosed'), and blocks packets from the former to the latter. Works like a charm =)

Hope this will help somebody to protect his routers from flooding...

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Jun 25, 2014 11:43 am
by Chupaka
if you block forwarded traffic - you stop its propagation across the router.

if you block input - traffic is already here, it won't go further, so you don't decrease network load :)

that's why you simply need to protect the router from accessing by unauthorized users (my means of management subnet or something)

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Thu Jun 26, 2014 4:53 pm
by juanvi
But your rules are blocking the tcp syn flood attacks to the router too if input chain is objective???
if you block forwarded traffic - you stop its propagation across the router.

if you block input - traffic is already here, it won't go further, so you don't decrease network load :)

that's why you simply need to protect the router from accessing by unauthorized users (my means of management subnet or something)

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Thu Jun 26, 2014 7:00 pm
by Chupaka
kind of. but for router itself I'd rather do much more strict rules. and enable TCP SYN Cookies :)

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Fri Jun 27, 2014 10:54 am
by dadaniel
Is it somehow possible to make these rules more efficient? Currently every new connection is counted, jumped into new chain and there again counted and if below the threshold returned to forwarding chain...

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Fri Jun 27, 2014 11:17 am
by juanvi
I've tried SYN cookies enabled attacking a Basebox2 directly with a tcp syn flood attack and the results in cpu resoruces where 10-15% higher compared with this rule woithout SYN cookies. I'll block the same attack sanving that ammount of cpu:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
action=drop comment="" disabled=no
At this point I have that previous rule, yours and limitting the connections per user twice.
It seems excessive. ┬┐Can you tune up my setup? Have in mid this is a hotspot and must be secures for the use is intended for. We dont want massive connections from an IP and want maximal security from attacks to and throug the router. We have seen this hardware with cpu +90% without users and only with a synflood attack.

Thanks in advance for your replies master. You are being very helpful for us.
[juanvi@HotSpot1] /ip firewall> export
# jun/27/2014 08:05:59 by RouterOS 6.15
# software id = EJJG-9K3N
#
/ip firewall filter
add action=jump chain=input comment=\
    "SYN Flood protect - http://wiki.mikrotik.com/wiki/DoS_attack_protection" \
    connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags=\
    syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=\
    syn
add action=jump chain=input comment="CONTROL BIDIRECCIONAL DE SOLICITUDES MASIVA\
    S - DDOS http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking - http://\
    forum.mikrotik.com/viewtopic.php\?f=2&t=54607" connection-state=new \
    jump-target=block-ddos-input
add action=return chain=block-ddos-input dst-limit=\
    50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed-input \
    address-list-timeout=10m chain=block-ddos-input
add action=add-src-to-address-list address-list=ddoser-input \
    address-list-timeout=10m chain=block-ddos-input
add action=drop chain=input connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
add action=jump chain=forward comment="CONTROL BIDIRECCIONAL DE SOLICITUDES MASI\
    VAS - DDOS http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking - http:\
    //forum.mikrotik.com/viewtopic.php\?f=2&t=54607" connection-state=new \
    jump-target=block-ddos
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m \
    chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m \
    chain=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=input comment=\
    "LIMITE DE CONEXIONES POR IP - DDOS" connection-limit=75,32 protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp \
    src-address-list=blocked-addr
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=forward comment=\
    "LIMITE DE CONEXIONES POR IP - DDOS" connection-limit=75,32 protocol=tcp
add action=tarpit chain=forward connection-limit=3,32 protocol=tcp \
    src-address-list=blocked-addr
add chain=input comment="GENERAL - PERMITE CONEXIONES ESTABLECIDAS" \
    connection-state=established
add chain=input comment="PERMITE CONEXIONES RELACIONADAS" connection-state=\
    related
add action=drop chain=input comment="DROP CONEXIONES INVALIDAS" \
    connection-state=invalid
add chain=forward comment="GENERAL - PERMITE CONEXIONES ESTABLECIDAS" \
    connection-state=established
add chain=forward comment="PERMITE CONEXIONES RELACIONADAS" connection-state=\
    related
add action=drop chain=forward comment="DROP CONEXIONES INVALIDAS" \
    connection-state=invalid
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24 to-addresses=0.0.0.0

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Fri Jun 27, 2014 11:45 am
by Chupaka
juanvi, do you really need 'connection-limit' in that case? I don't think the limit of 75 connections is actually doing something valuable...

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Jul 23, 2014 6:17 am
by tombee79
hi Chupaka


According to your 1st post. Will all people that use more than ex. 50 connection with web browser or torrent client get block for 10 minutes in or outside my nated lan?

pls confirm.

thx

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Thu Jul 24, 2014 1:40 pm
by Chupaka
not 50 connections, but 50 connections per second, and only exceeding connections will be blocked, but you can modify a rule to block all packets from the flooding source

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Thu Jul 24, 2014 2:08 pm
by omidkosari
Note: At least up to version 5.6, 'dst-limit' matcher has two bugs:

'Expire' value is 10 times lower than you set; so '10s' is actually 1 second
'dst-limit' matches first 'Burst' packets (as it should be) plus one, and then skips packets for the first second; so if you have Rate set to 32 and Burst set to 0, and you start to flood packets, the rule will match 1 packet, and on 2nd packet it won't match until 1sec passes - that's why you need 'Burst' value at least as high as 'Rate' value
Does the first bug solved in v5.26 ?

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Aug 20, 2014 4:12 pm
by Chupaka
Does the first bug solved in v5.26 ?
sorry for the long delay

nope, v6.18 (x86), the bug is still here

also, when WinBox shows this:
dst-limit.gif
(which means '30s' in Terminal and is actually 3s in reality), one can look at it like 3000 ms (ignoring the point), which is truth

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sun Nov 09, 2014 2:48 pm
by internetolog
These rules leaves too many tcp connections established counting down.
If I use reject instead of drop, does it solve this problem?

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sun Nov 09, 2014 3:59 pm
by SystemErrorMessage
instead of dropping, would tarpit work better in reducing CPU and bandwidth used for preventing DoS? I constantly get bombarded by adware botnets trying to route through my router but i find using tarpit frees up a lot of bandwidth and CPU.

Also i noticed that you cant set a rate limit in routerOS because than anything more than the rate limit would passthrough.

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Dec 10, 2014 8:10 pm
by otgooneo
Thanks Chupaka.
Did you tried this rule on higher than V6? Is the bug you introduced in the wiki fixed?
Note: At least up to version 5.6, 'dst-limit' matcher has two bugs:
'Expire' value is 10 times lower than you set; so '10s' is actually 1 second
'dst-limit' matches first 'Burst' packets (as it should be) plus one, and then skips packets for the first second; so if you have Rate set to 32 and Burst set to 0, and you start to flood packets, the rule will match 1 packet, and on 2nd packet it won't match until 1sec passes - that's why you need 'Burst' value at least as high as 'Rate' value

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Jan 10, 2015 12:03 pm
by omidkosari
Is it good idea to have following rules in addition to action=drop ?

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=ddosed new-routing-mark=ddoser-route-mark passthrough=no src-address-list=ddoser

/ip route
add distance=1 routing-mark=ddoser-route-mark type=blackhole


Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Jan 10, 2015 12:20 pm
by Chupaka
hm-m-m... the idea is interesting, but I'm not sure about packet flow with such route :) if packet won't go to firewall filter after that, then it's good addition. did you check the behaviour?

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Sat Jan 10, 2015 1:10 pm
by omidkosari
Yes i checked it .
When add these new rules , packets don't go to firewall filters and the drop rule does not count anymore . But i want to know which one is better ?

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Tue Jan 27, 2015 8:41 am
by omidkosari
Have you checked this rules in a BGP router ? I have a scenario which tx goes through ether1 and rx comes from different gre/eoip tunnels .

It seems the router confused and blocks popular websites .

Note: i just want to block ddos TO my customers .

As you can see i have used "connection-state=new in-interface=gre1" and normally websites don't create 8~16 NEW connection to my customers . so i think router could not correctly understand related or established connections and think it is new .

I have also tested dst-limit=8,16,src-and-dst-addresses/10s but no difference
/ip firewall filter
add action=jump chain=forward connection-state=new dst-address-list=customers in-interface=gre1 jump-target=detect-ddos-customers
add action=jump chain=forward connection-state=new dst-address-list=customers in-interface=gre2 jump-target=detect-ddos-customers
add action=jump chain=forward connection-state=new dst-address-list=customers in-interface=eoip1 jump-target=detect-ddos-customers
	
add action=jump chain=detect-ddos-customers connection-state=new dst-address-list=customers jump-target=attack-tcp-src-80 protocol=tcp src-port=80
add action=return chain=attack-tcp-src-80 connection-state=new dst-address-list=customers dst-limit=8,16,dst-address/10s protocol=tcp src-port=80
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=attack-tcp-src-80 connection-state=new dst-address-list=customers protocol=tcp src-port=80
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=attack-tcp-src-80 connection-state=new dst-address-list=customers protocol=tcp src-port=80

add action=jump chain=detect-ddos-customers connection-state=new dst-address-list=customers jump-target=attack-udp-src-80 protocol=udp src-port=80
add action=return chain=attack-udp-src-80 connection-state=new dst-address-list=customers dst-limit=8,16,src-address/10s protocol=udp src-port=80
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=attack-udp-src-80 connection-state=new dst-address-list=customers protocol=udp src-port=80
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=attack-udp-src-80 connection-state=new dst-address-list=customers protocol=udp src-port=80

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Wed Feb 04, 2015 12:04 pm
by Chupaka
sorry for the long delay

I think, routing to blackhole is better just because it drops packets earlier (on routing decision step), without checking filter rules. anyway, you still need filter rules for the first packet, which is detected after 'prerouting', and for dst-natted packets if any

on production routers (v6.7-6.10) we're currently using something like "dst-limit=16,96,src-and-dst-addresses/1m40s" - no complaints from customers so far, and gigabytes of dropped traffic :)

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Thu Apr 02, 2015 6:38 am
by phendry
we're currently using something like "dst-limit=16,96,src-and-dst-addresses/1m40s" - no complaints from customers so far, and gigabytes of dropped traffic :)
Hi Chupaka. This limit seems really low to me. Surely if you had asymmetric routing on your network it would only take 2 VoIP calls from a single customer site to exceed this limit?

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Thu Apr 02, 2015 2:41 pm
by Chupaka
Hi Chupaka. This limit seems really low to me. Surely if you had asymmetric routing on your network it would only take 2 VoIP calls from a single customer site to exceed this limit?
I put those rules on access routers, so there's no asymmetric routing

and yes, in case of asymmetric routing, if router sees constant UDP stream without replies - it looks suspicious anyway ;)

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Apr 02, 2015 3:12 pm
by phendry
DDoS prevention is needed at eBGP peering points to stop the flood hitting your infrastructure. Assuming you have multiple BGP peers in physically different locations it is very likely you'll get asymmetric routing. Nothing suspicious about that.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Apr 02, 2015 5:51 pm
by Chupaka
okay, that again confirms that one should not blindly copy any configs found in the Internet, as many things depend on the topology :)

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Wed Apr 15, 2015 1:51 am
by dfariazo
what you think about this http://wiki.mikrotik.com/wiki/DDoS_Dete ... d_Blocking, they redirect to this post but are different
Sunday and Monday were horrible days...

It was the first time our network became the source of DDoS attack. TechSupport woke me up at about 13:00 - users were complaining about very slow Internet access with high packet drop rate. Guess what I did first? Yes, after a few minutes I rebooted the router :) And guess what? After reboot, the picture stayed the same. Even pinging router's address (or 127.0.0.1) from the router itself was showing 200-500ms RTT with 50% of timeouts.

After about fifteen minutes of searching and trying I identified that the reason was my firewall filter fules for limiting the number of simultaneous TCP connections per user: they were showing high rate of dropped packets, and when I was disabling them, router was becoming stable again.

It appeared that some kind of virus or botnet on customers' computers was attacking single IP address (some Lineage II game server) by creating huge number of HTTP requests to the host (when I blocked any packets to that server, filter rule was dropping about 4000 new connections per second). So, when 'connection-limit' matcher was trying to count active user's connections a few thousand times per second, it was killing the router completely.

In Monday, attacked IP addresses changed, so this horror returned back :) After a dozen of minutes I came to this solution:
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
It dynamically creates two address lists: attackers ('ddoser') and attacked hosts ('ddosed'), and blocks packets from the former to the latter. Works like a charm =)

Hope this will help somebody to protect his routers from flooding...

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Apr 16, 2015 5:34 pm
by Chupaka
what you think about this http://wiki.mikrotik.com/wiki/DDoS_Dete ... d_Blocking, they redirect to this post but are different
as you can see in page history, that was me who created and edited that article :)

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Apr 30, 2015 11:30 pm
by rextended
what you think about this http://wiki.mikrotik.com/wiki/DDoS_Dete ... d_Blocking, they redirect to this post but are different
as you can see in page history, that was me who created and edited that article :)
If you want, add this to your article:

ADD ONE HONEYPOT IP, like what I do with spamhouse with one real mail address, but any mail sended to that address causing the sender's IP to go directly on blacklist...... ;P

Any external IP trying to contact the non-active reapublic IP, go directly to SCANNER address list, and every packet coming from scanner address list are dropped, except the TCP are tarpitted ;)

@SCANNER = address list of potential DDoS or DoS or SCANNER / SPAMMER

1.2.3.4 = One of YOUR REAL SURELY UNUSED IP ADDRESS
ether1 = your INTERNET interface
safe_address_list = IP whitelist containing all your subnet and IP of secure services

/ip firewall filter
add action=add-src-to-address-list address-list=@SCANNER chain=forward comment=HONEYPOT dst-address=1.2.3.4 in-interface=ether1 src-address-list=!safe_address_list
add action=tarpit chain=forward in-interface=ether1 protocol=tcp src-address-list=@SCANNER
add action=drop chain=forward in-interface=ether1 protocol=!tcp src-address-list=@SCANNER

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Jul 23, 2015 10:13 pm
by netwpl
ive setup this DDos scenario to protect our internet-upstreams.

ive used 2physical interfaces:

eth1 connected to our upstream-provider
eth2 connected to our network-device

bridge1 with eth1 and eth2 so that the traffic can flow transparent through the ccr and the BGP session between our upstream-provider and our network-device gets established.

everything seems to work fine, except 1 customer is complaining about his IPSec tunnel.

- Customer has a site to site vpn tunnel between two checkpoint gateways that are managed by two different management stations.
- VPN is supposed to be certfiicate based but it was failing so customer changed the VPN to Preshared secret and it is working now.
- When converted back to Certificate based VPN, VPN tunnel again failed during Phase 1.
- VPN tunnel is between SIDE1 and SIDE2 sites.
- IKE Phase 1 is initiated by SIDE1 side. <-- from outside our network
- On SIDE1 side in ike.elg file we are able to see IKE Phase 1 first 5 packets and packet 6 is not recieved from SIDE2
- On SIDE2 in ike.elg file we see all 6 packets of Phase 1 and its trying to initiate the Phase 2.
- Using Tcpdump captures our findings are as follows:


could the DDos protection be the cause that the customer cant initialize his IPSec tunnel anymore, or could it be a MTU size problem with the CCR.

 9    ;;; jump-2-forward-queue!
      chain=forward action=jump jump-target=detect-ddos connection-state=new in-interface=DDos-bridge log=no log-prefix="" 

10    ;;; !!!!!! detect ddos aufgrund der Anzahl der connections
      chain=detect-ddos action=return dst-limit=64,128,src-and-dst-addresses/11s log=no log-prefix="" 

11    ;;; not_our-networks-BASIS-add.-LIST
      chain=detect-ddos action=return dst-address-list=!LIST log=no log-prefix="" 

12    chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix="" 

13    ;;; ddoser_vergangenheit
      chain=detect-ddos action=add-src-to-address-list address-list=ddoser_vergangenheit address-list-timeout=0s log=no log-prefix="" 

14    chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix="" 

15    ;;; ddosed_vergangenheit
      chain=detect-ddos action=add-dst-to-address-list address-list=ddosed_vergangenheit address-list-timeout=0s log=no log-prefix="" 

16 X  ;;; drop DDOSER und DDOSED hosts - REMINDER ev. TARPIT?
      chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix="" 



Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Mon Oct 31, 2016 11:41 pm
by miq
@Chupaka, maybe it's good idea to move rule:
/ip firewall filter
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
before jump action? When this rule it's on the end all packets going through all anti-ddos chain chains even if ddoser and ddosed are already on proper lists.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Tue Nov 01, 2016 2:21 am
by Chupaka
@Chupaka, maybe it's good idea to move rule:
/ip firewall filter
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
before jump action? When this rule it's on the end all packets going through all anti-ddos chain chains even if ddoser and ddosed are already on proper lists.
but in that case 'dst-limit' matcher's tables won't be refreshed by packets from currently active 'ddos flows', so when address list entry timeouts, it will take another 'full detection cycle' to add them back. yes, that's theoretical difference, and I don't know exact practical impact of it, but I was thinking about this case while developing the rule set, and still did what you see in my post :)

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Tue Nov 01, 2016 1:50 pm
by miq
but in that case 'dst-limit' matcher's tables won't be refreshed by packets from currently active 'ddos flows', so when address list entry timeouts, it will take another 'full detection cycle' to add them back. yes, that's theoretical difference, and I don't know exact practical impact of it, but I was thinking about this case while developing the rule set, and still did what you see in my post :)
I'm trying to look closer to this rules, because I have problem with massive dos (shitty IoT) from my clients. And sometimes my CCR1036-8G-2S+ dying, (I write about this in this topic: http://forum.mikrotik.com/viewtopic.php ... 7&p=565972). And I'm think it may be a problem when really lot of connection from network (before queue, so it's really fast) going to you router.

I will try to move this rule at the beginning of antidos chains, and try my theory, because I already haven't idea what is wrong :/.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Nov 03, 2016 10:54 pm
by alexvicol
Hi,
I have:
 1   chain=forward action=jump jump-target=detect-ddos connection-state=new log=no log-prefix=""
 2   chain=detect-ddos action=return src-address-list=exceptions log=no log-prefix=""
 3   chain=detect-ddos action=return dst-limit=32,32,src-and-dst-addresses/10s log=no log-prefix=""
 4   chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix=""
 5   chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix=""
 6   chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix=""
Where exceptions list contains 3 IP's with dns servers , but still those 3 ip's get added in ddosed list and my server ips in the ddoser list.
The counters for that exception rule is 0 this means it doesn't get hit.
What's wrong in these rules?

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Nov 04, 2016 11:24 am
by miq
Hi,
I have:
 1   chain=forward action=jump jump-target=detect-ddos connection-state=new log=no log-prefix=""
 2   chain=detect-ddos action=return src-address-list=exceptions log=no log-prefix=""
 3   chain=detect-ddos action=return dst-limit=32,32,src-and-dst-addresses/10s log=no log-prefix=""
 4   chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix=""
 5   chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix=""
 6   chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix=""
Where exceptions list contains 3 IP's with dns servers , but still those 3 ip's get added in ddosed list and my server ips in the ddoser list.
The counters for that exception rule is 0 this means it doesn't get hit.
What's wrong in these rules?
If you trying to connect to DNS servers you should use dst-address-list in rule #2

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Nov 04, 2016 11:41 am
by alexvicol
Hi,
Already tried that.
Same thing:
1    chain=forward action=jump jump-target=detect-ddos connection-state=new log=no log-prefix=""
2    chain=detect-ddos action=return dst-address-list=exceptions log=no log-prefix=""
3    chain=detect-ddos action=return dst-limit=32,32,src-and-dst-addresses/10s log=no log-prefix=""
4    chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix=""
5    chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix=""
6    chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix=""
 

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Nov 04, 2016 12:10 pm
by miq
Hi,
Already tried that.
Same thing:
1    chain=forward action=jump jump-target=detect-ddos connection-state=new log=no log-prefix=""
2    chain=detect-ddos action=return dst-address-list=exceptions log=no log-prefix=""
3    chain=detect-ddos action=return dst-limit=32,32,src-and-dst-addresses/10s log=no log-prefix=""
4    chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix=""
5    chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix=""
6    chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix=""
 
I don't know why this doesn't work. I set exceptions on my router and it works perfect. You should try use torch to check src and dst address, maybe it's different than you expect. And check your firewall rules, maybe this adresses are returned from forward before detect-dos chain.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Nov 04, 2016 1:34 pm
by alexvicol
In torch if I run with the Ip of the dns in src. address it displays the traffic.
I have no other firewall rules, just these ones.
How can I check if the adresses are returned from forward before detect-dos chain?

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Nov 04, 2016 2:11 pm
by miq
In torch if I run with the Ip of the dns in src. address it displays the traffic.
I have no other firewall rules, just these ones.
How can I check if the adresses are returned from forward before detect-dos chain?
It's good idea to add log action in desired place.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Wed Nov 30, 2016 7:16 pm
by SKYNET360
Chupaka

Can you post the correct edited config that I lost you guys.

Thanks

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Dec 01, 2016 3:29 pm
by Chupaka
the correct edited config that I lost you guys.
correct? what's incorrect in posts above?..

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Dec 01, 2016 7:11 pm
by SKYNET360
I want to build a super powerful router that can handle 30GIG of ddos attack using firewall rules without any problems what do you guys recommend

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Dec 01, 2016 7:12 pm
by SKYNET360
the correct edited config that I lost you guys.
correct? what's incorrect in posts above?..

I found it thanks

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Dec 02, 2016 9:30 pm
by SKYNET360
Need a little help with this rule

/ip firewall filter
add action=return chain=detect-ddos comment=DOS-Exceptions disabled=no \
src-address-list=DOS-Exceptions

I have this rule as 2nd

with DOS-Exceptions
8.8.8.8 and outer known IPs that I need to make sure they don't get hit with ddos rule.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Dec 02, 2016 9:31 pm
by SKYNET360
Need a little help with this rule

/ip firewall filter
add action=return chain=detect-ddos comment=DOS-Exceptions disabled=no \
src-address-list=DOS-Exceptions

I have this rule as 2nd

with DOS-Exceptions
8.8.8.8 and outer known IPs that I need to make sure they don't get hit with ddos rule.
IP 8.8.8.8 still gets hit as ddosed

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Sat Dec 03, 2016 6:40 am
by Murmaider
I want to build a super powerful router that can handle 30GIG of ddos attack using firewall rules without any problems what do you guys recommend
You won't stop a 30Gb/sec DDoS with firewall rules. Firewalls are a access control technology designed to secure unauthorized entry or to limit / restrict the flow of traffic.

Firewall rules themselves are actually very inefficient in any large DDoS attack. A large attack you will easily exhaust your connection state table in a few seconds and you will start dropping packets. Firewall rules also have a massive impact on packets-per-second through a router as every single packet has to be inspected.

In order for the firewall to inspect traffic (and traffic based on state), it needs to accept the traffic on the routers incoming interface in order to make a decission (drop, forward, etc). Even if you have a drop rule, the traffic is still "accepted" on the interface, inspected and then dropped.

While this prevents the DDoS traffic from leaving your router on the outgoing interface, your router still has to do the job of accepting the traffic and inspecting it against the hierarchy of firewall rules.

You better off using RP Filter (loose) and Source-based blackholes for DDoS filtering. This is by far more efficient and can actually reduce the incoming traffic on the routers interface, as well as the CPU usage on the router during the attack.

I did a post on this here - http://forum.mikrotik.com/viewtopic.php?t=114664
In the youtube video you can see what I am referring to above with the traffic still hitting the incoming interface when the firewall drop rule is used. You will see how the traffic drops off when I use the source-based blackhole and how the CPU usage goes down to 0%.

If you want to automate this DDoS protection then look at Wanguard to detect ddos traffic and push the source-based blackholes via BGP to your mikrotik (which must have RP Filter set to Loose), or use it to trigger an GRE tunnel to a DDoS cloud provider.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Sat Dec 24, 2016 8:38 pm
by zipvault
.
chupaka i just saw youtube video of you hitting 600mb on a speed test on mikrotik

nice

how can i do this :)

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Mon Dec 26, 2016 2:19 am
by Chupaka
youtube video of me?.. where? :)

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Dec 29, 2016 12:05 pm
by zipvault
Has anyone seen cloudflare

They specialise in ddos protect

Looks like i good service they boast stopping 600gbps attack

How can i build something like this for myself at that scale with mikrotik

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Dec 29, 2016 12:07 pm
by normis
This is like saying "I saw youtube.com and it looks interesting. How can I build a webpage like that at home"

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Dec 29, 2016 12:26 pm
by zipvault
Your funny normis you make me laugh i understand you believe it is a grandeur task, but anything is possible


_______
Dos approach forum = " i was just reading into layer 3 layer 4 and layer 7 ddos

Cloud based seems the best current option as it can implement multiple processing paths

Looking at options and how it works so i can build my understanding.

I see fortinet have a promising ddos hardware box

I wonder what it takes and what is involved maybe its possible for us to make one for mikrotik"

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Mar 09, 2017 7:51 pm
by Jeanluck
Hi,
I check that:
add chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags= syn

with a single user with less than 200 total connetions, skip this rule, and the netxt drop rule, drop several connections.
I check the point is "burst" parameter, 5 is too low, but in all examples I see, is set to 5.

So, I don't undertand. What do exactly the burst parameter in this rule? and, which must be the value for a correct work?
at least "burst = limit connection"?

Thanks!

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Mar 09, 2017 11:52 pm
by R1CH
Your funny normis you make me laugh i understand you believe it is a grandeur task, but anything is possible


_______
Dos approach forum = " i was just reading into layer 3 layer 4 and layer 7 ddos

Cloud based seems the best current option as it can implement multiple processing paths

Looking at options and how it works so i can build my understanding.

I see fortinet have a promising ddos hardware box

I wonder what it takes and what is involved maybe its possible for us to make one for mikrotik"
The only way to beat a DDoS is to have more bandwidth than the attacker.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Mar 10, 2017 10:12 am
by Jeanluck
It's not right... Sometimes the atacker use a bit only, but cause a 100% CPU

Please someone can explain me, what make exactly the burst parameter. I think that 400,5 is not right.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Mar 10, 2017 12:33 pm
by Chupaka
add chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags= syn
I don't like that there are both 'connection-state' and 'tcp-flags=syn'. Why not just use one of them?
Please someone can explain me, what make exactly the burst parameter. I think that 400,5 is not right.
it means 'first 5 packets are not checked by 'limit' parameter, then allow 400 packets per second'

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Mar 10, 2017 1:52 pm
by Jeanluck
Thanks!

But, I check that 100,1 cause a lot of packets drop in the next drop rule, but 80,20 has no packet loss.
Then, if just "burst" packets are not checked, why 100,1 drop a lot, and 80,20 none? may be the same or similar

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Mar 10, 2017 2:44 pm
by Chupaka
But, I check that 100,1 cause a lot of packets drop in the next drop rule, but 80,20 has no packet loss.
Then, if just "burst" packets are not checked, why 100,1 drop a lot, and 80,20 none? may be the same or similar
the reason is the way how the allowed rate is calculated

you can imagine it as a counter: "N allowed packets left"

when first packet arrives, the counter is initialized by 'burst' value. the packet is accepted, counter is decremented by 1. then each 'Time' (1 second by default) the counter is set to Rate, and each packet decrements it by 1. packet is accepted if counter is greater than or equal to zero

in case of '100,1' the problem is within the first second: first packet arrives, counter=1, packet is accepted, counter=0 - and for the rest of this second no more packets will be accepted. in 1s counter will become 100, and 100 more packets will be accepted

that's why I prefer to set burst=rate+some_starting_value, not just some_starting_value :)

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Sat Mar 11, 2017 3:09 pm
by Jeanluck
In "limit" wiki mikrotik is:
"burst - initial number of packets or bits to match: this number gets recharged every 10ms so burst should be at least 1/100 of rate per second "
(every 10ms, not every 1seg, so I don't understand well)

Can be then?
- Burst = packet limit every 10ms
- Rate = packet limit every 1000ms (== 1 seg.). In this point, I think that total rate is packets in 1 seg, minus burst number in every 10ms period

For example, this rates fro 20,5
[10ms - 4 packets] - pass all -> rate=0+4=4
[10ms - 8 packets] - pass 5, and burst drop 3 -> rate=rate+5=9
[10ms - 5 packets] - pass all -> rate = rate + 5 =14
[10ms - 15 packets] - pass 5 and burst drop 10 -> rate = rate+5=19
[10ms - 4 packets] - pass one packet, because rate has reached the 20 limit, and drop all packets until the next second start

works in this way?

My rule would be:
"add action=return chain=DDOS_TCP_SYN comment="DDOS Connection Limit TCP SYNs" connection-state=new limit=20,5 protocol=tcp tcp-flags=syn

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Sun Mar 12, 2017 11:14 pm
by Chupaka
Yep, looks like it can be the truth. I thought 'limit' should work like 'dst-limit' :) But it appeared they have a bit different descriptions...

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Wed Mar 22, 2017 9:20 am
by aarango
Hi,

I added your lines on first post Chupaka and I see packets / bytes on jump and return on my firewall, but I want to know how could I see what packets are, what IP its and where could I see if that traffic is DDoS or simply traffic. Basic how I could monit that traffic to avoid DDoS attacks.


6 chain=forward action=jump jump-target=block-ddos connection-state=new
7 chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed
8 chain=block-ddos action=return dst-limit=50,50,src-and-dst-addresses/10s log=no
9 chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
10 chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m

Note: I checked that its working, I see IP on "Address list", now I have another question. Are there way to add any whitelist? In "Address list" I have good IPs banned and I want or adjust values burst and rate (50, 50 now) or whitelist some IPs.
Now I changed burst and rate to 100, is it much?

Thanks.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Wed Mar 22, 2017 11:20 am
by janyao
thank you for sharing your experience.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Wed Mar 22, 2017 1:49 pm
by Chupaka
Are there way to add any whitelist?
just add one more 'return' rule next to the current 'return' rule:
add chain=block-ddos src-address-list=whitelisted-from-ddos-checker action=return
and then use this address-list for whitelisting

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Wed Mar 22, 2017 2:21 pm
by aarango
Are there way to add any whitelist?
just add one more 'return' rule next to the current 'return' rule:
add chain=block-ddos src-address-list=whitelisted-from-ddos-checker action=return
and then use this address-list for whitelisting
Thanks you, a stupid question. I normally use MK from interface web, how could I change the rule's order? I have some rules in middle (spamhaus rules) and I would like to keep ddos rules together.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Wed Mar 22, 2017 3:09 pm
by Chupaka
I normally use MK from interface web, how could I change the rule's order?
just drag'n'drop the rule by your mouse :)

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Thu Mar 23, 2017 8:13 am
by aarango
I normally use MK from interface web, how could I change the rule's order?
just drag'n'drop the rule by your mouse :)
:D I feel stupid now! I tried a lot of things less that...

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Mar 24, 2017 8:24 am
by janyao
thanks for sharing.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Mar 24, 2017 10:28 am
by nichky
From MikroTik wiki about your post.
i have no idea what's the mining of this part configuration

add chain=detect-ddos src-address=192.168.0.1 action=return

https://wiki.mikrotik.com/wiki/DDoS_Det ... d_Blocking

it's local address?

excellent rules, well done

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Mar 24, 2017 11:20 am
by Chupaka
i have no idea what's the mining of this part configuration

add chain=detect-ddos src-address=192.168.0.1 action=return
It's about "One may want also add some exceptions (like DNS servers - it won't be good if they will be blocked)" - that's the server which needs unlimited access

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Fri Mar 24, 2017 12:52 pm
by nichky
got idea. Let us know more about your rules ;) :)

Thanks

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Posted: Fri Apr 21, 2017 8:26 pm
by magnitude
protocol is tcp source ip :115.238.184.5, source port 50006
when that happen i have traffic allmost on all public ip in subnet /23 around 360kbps per ip
and upload on my network is 90-150Mbps.

How did u solve this problem,,,i am also facing similar problem,,,my all public ip in subnet is affected by unknown traffic.

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Sun Sep 17, 2017 2:58 am
by nichky
how you recommending to set up this rule,on the top or will be okay if i will apply at the end of the firewall list?

Thanks a lot

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Posted: Mon Sep 18, 2017 10:06 am
by Chupaka
I'd say, it depends on your current rules :)

but in general it's better to place them on the top: they are designed to block abnormal traffic and to pass the rest to the bottom rules, not to accept it