Community discussions

MikroTik App
 
mudasir
Member Candidate
Member Candidate
Topic Author
Posts: 278
Joined: Tue Apr 29, 2008 3:38 am
Location: Karachi, Pakistan
Contact:

how to protect against UDP flood

Wed Jan 25, 2012 10:56 pm

Hi,

I have recently setup a TeamSpeak 3 Server to provide Voice Services to my Clients on Network.
However shortly after putting on Public IP I started receiving UDP Flooding. The behavior is very odd, as the IP from which flooding is being done is caught in a dynamic Address-List and all packets are dropped from that source, but the Interface gets jammed up showing 98Mbps or 95Mbps. This create a huge timeout on all other Network Services, and sometimes even my backend provider blacklists my IP saying a DDoS attack was noticed on this IP. This sort of flooding usually comes over UDP.

Is there any possible way to protect my system / network from this using Mikrotik Firewall.
To give a better idea what happens during the attack to my router, I am attaching a sample snapshot generated for Firewall Testing purpose. Any other details can be provided for the same.

udpflood.jpg
You do not have the required permissions to view the files attached to this post.
Regards
Mudasir Mirza
http://www.diglinux.com
 
brandonrossl
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Wed Jun 08, 2011 10:09 pm

Re: how to protect against UDP flood

Thu Jan 26, 2012 3:00 pm

Have you tried a firewall chain that's packet rate limited?
 
mudasir
Member Candidate
Member Candidate
Topic Author
Posts: 278
Joined: Tue Apr 29, 2008 3:38 am
Location: Karachi, Pakistan
Contact:

Re: how to protect against UDP flood

Thu Jan 26, 2012 3:09 pm

Hi,

Not working, attached snapshot.
floodtest.JPG
You do not have the required permissions to view the files attached to this post.
Regards
Mudasir Mirza
http://www.diglinux.com
 
brandonrossl
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Wed Jun 08, 2011 10:09 pm

Re: how to protect against UDP flood

Thu Jan 26, 2012 4:07 pm

See if you can use torch for your local address and udp as protocol to see where they are coming from?

Since UDP is connectionless, the destination IP/port is probably what you have to use to see the traffic.
 
mudasir
Member Candidate
Member Candidate
Topic Author
Posts: 278
Joined: Tue Apr 29, 2008 3:38 am
Location: Karachi, Pakistan
Contact:

Re: how to protect against UDP flood

Thu Jan 26, 2012 4:11 pm

Hi,

Snapshot in my initial post shows the torch screen also, there I tested it from my local IP address "10.6.24.2". I have a perl script which I use to perform this this, I define port, packet size and few other parameters in there and then start the test.
Regards
Mudasir Mirza
http://www.diglinux.com
 
brandonrossl
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Wed Jun 08, 2011 10:09 pm

Re: how to protect against UDP flood

Thu Jan 26, 2012 5:45 pm

So I'm assuming you have a similar setup to this guy:
http://forum.mikrotik.com/viewtopic.php?f=6&t=10396

and sadly his solution was to install an additional mikrotik to just filter udp traffic to prevent exactly what you're experiencing.

You're pretty much the victim of a DOS attack unless you can figure out the true source as a virus or somesuch.

And just to be sure, firewall rule on rate limit should be on 'forward' chain if passing through router, 'input' if directed at the router. Might want to try both and see which is more effective.

Does traffic stop when you stop forwarding port and drop all UDP packets directed at that port?
 
mudasir
Member Candidate
Member Candidate
Topic Author
Posts: 278
Joined: Tue Apr 29, 2008 3:38 am
Location: Karachi, Pakistan
Contact:

Re: how to protect against UDP flood

Thu Jan 26, 2012 10:59 pm

Hi,

It is somewhat similar, however I can not add another Mikrotik instance, as still my core router will be receiving this attack which at some time will get saturated link.
Core router is also a Mikrotik Router.

I thought of implementing PCQ on Interface Queue to restrict complete traffic, but again not sure will this work or not. As it is a bit dangerous also, as I also do not have physical access to this router, and if it goes out of reach then it will cost me 2 days.

Will always welcome more suggestions and ideas.
Regards
Mudasir Mirza
http://www.diglinux.com
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: how to protect against UDP flood

Fri Jan 27, 2012 4:16 pm

You can't *stop* traffic directed to you that has already reached your external interface.

The best option is to request your upstream provider restrict and/or block it themselves as once it reaches you the only thing you can do is drop it. If you're doing BGP some providers have a specific BGP community you can use to blackhole certain IP addresses which might help in your case.
brightwifi.com | mikrotik-routeros.com | MTCNA,MTCWE.MTCTCE | Give karma where due
 
mudasir
Member Candidate
Member Candidate
Topic Author
Posts: 278
Joined: Tue Apr 29, 2008 3:38 am
Location: Karachi, Pakistan
Contact:

Re: how to protect against UDP flood

Fri Jan 27, 2012 4:23 pm

Hi,

Yes that is exactly what I initially figured out. My upstream provider does blackhole my IP address and it blocks everything. Up till now I have not been able to get any updates from my provider as to how we can control this.

Lets see, if I come up with any solution, I will share it here.
Regards
Mudasir Mirza
http://www.diglinux.com
 
Blazedstorm
just joined
Posts: 5
Joined: Mon May 07, 2012 10:18 am

Re: how to protect against UDP flood

Mon May 07, 2012 12:20 pm

Hi.

How did you do the setup for Teamspeak on the Mikrotik unit?

Please help
 
daived
just joined
Posts: 9
Joined: Fri Apr 05, 2013 2:51 pm

Re: how to protect against UDP flood

Tue Jan 14, 2014 4:17 am

Hi, did you solved this?
 
kukithanki
just joined
Posts: 2
Joined: Tue May 17, 2016 9:51 am

Re: how to protect against UDP flood

Tue May 17, 2016 9:56 am

Try this and it will work, just remember to change interface name and port if required

add action=drop chain=forward in-interface=ether1 src-address-list="SIP Hacker"
add action=add-src-to-address-list address-list="SIP Hacker" address-list-timeout=2w chain=forward connection-state=new dst-port=5060 in-interface=ether1 protocol=udp src-address-list="SIP Trial"
add action=add-src-to-address-list address-list="SIP Trial" address-list-timeout=15s chain=forward connection-state=new dst-port=5060 in-interface=ether1 protocol=udp src-address=0.0.0.0/0
add action=drop chain=forward disabled=yes in-interface=ether1 src-address-list="SIP Hacker"
add action=add-src-to-address-list address-list="SIP Hacker" address-list-timeout=1d chain=forward connection-state=new disabled=yes dst-port=9070 in-interface=ether1 protocol=udp src-address-list=\
"SIP Trial"

Basically when you block input your system still replies so just block the reply to unsuccessful attempt..

Who is online

Users browsing this forum: Bing [Bot], Easpeak, eworm, gotsprings and 100 guests