Community discussions

MikroTik App
 
jmay
Member
Member
Topic Author
Posts: 326
Joined: Tue Jun 23, 2009 8:26 pm

Syn Flood Protection for ISP

Sat Apr 07, 2012 1:55 am

I'm experimenting with the wiki example at http://wiki.mikrotik.com/wiki/DoS_attack_protection

I've never been attacked but I'm trying to keep it that way. We are an ISP with about 1500 current customers, many of which have email servers and web servers that they run. So when I plugged in the default limit of 400 the logs went crazy! Even at 2000 some of my customers were exheeding that. So a couple of questions. Should that be normal traffic or do these customers have some issues?

Also if I set it at say 3000 so their traffic remains the same and the logs doin't show any exhesive connections, is that to high to protect from an attack? I'm using an RB1100ahx2 as my main router. I'm not trying to protect customers, I'm trying to protect infrastructure so if one customer gets attacked we don't all go down. Am I going about this the right way?
 
User avatar
savagedavid
Trainer
Trainer
Posts: 310
Joined: Thu Aug 25, 2005 12:58 pm
Location: Cape Town, South Africa
Contact:

Re: Syn Flood Protection for ISP

Sat Apr 07, 2012 9:10 am

It's not unusual for clients running torrent applications to have many hundreds of connections. Can you post an export of your exact configuration? It sounds as if you might be limiting on an entire range rather than a single IP.
savagedavid
MTCE+T (MikroTik Certified Everything + Trainer)
MikroTik support and training in South Africa
http://www.mikrotiksa.com
david [at] mikrotiksa dot com
 
jmay
Member
Member
Topic Author
Posts: 326
Joined: Tue Jun 23, 2009 8:26 pm

Re: Syn Flood Protection for ISP

Tue Apr 10, 2012 1:16 am

I think you got it! I setup the firewall rule based on the above web site. What do I set to make the settings per IP? Would that be under the per connection classifer?
 
User avatar
acim
Member
Member
Posts: 424
Joined: Mon Sep 12, 2005 12:26 am
Location: Serbia
Contact:

Re: Syn Flood Protection for ISP

Tue Apr 10, 2012 1:41 am

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

connection-limit (integer,netmask; Default: ) Restrict connection limit per address or address block
So, netmask should be /32 to limit per single IP, i.e.
add chain=forward protocol=tcp tcp-flags=syn connection-limit=100,32 action=drop comment="connection limit" disabled=no
 
User avatar
acim
Member
Member
Posts: 424
Joined: Mon Sep 12, 2005 12:26 am
Location: Serbia
Contact:

Re: Syn Flood Protection for ISP

Tue Apr 10, 2012 1:44 am

 
jmay
Member
Member
Topic Author
Posts: 326
Joined: Tue Jun 23, 2009 8:26 pm

Re: Syn Flood Protection for ISP

Tue Apr 10, 2012 8:34 pm

Thanks for the reply. I've already got syn cookies enabled. Is that considered good enough or should I be limiting connections?
 
coffeecoco
Member Candidate
Member Candidate
Posts: 175
Joined: Wed Oct 12, 2005 1:17 pm

Re: Syn Flood Protection for ISP

Wed Apr 11, 2012 12:53 pm

Ive had more than my fair share of isp level ddos attacks syn floods etc
You would be a very happy man if your isp have you a level of dropping the packets before forwarding to you, but ive seen "individuals" just smash the router the isp uses, and take out the whole isp
My best advice is , TRY your best not to get on the bad side of these ppl because its extremely hard to battle,
My personal advice is Syn cookies, Disable Icmp for outbound, hopefully they may get the hint some times your server is not responding
because they almost always send a constant ping to you to monitor there own handy work see if you went down.
They usually target services to hope to consume resources, sometimes its better to have a separate router to take the brunt of the attack, and maybe have a secondary link to your "server" ?
this can prove a little frustrating to them, if you appear, too hard they will move on.

but thats syn floods, different to torrents

Who is online

Users browsing this forum: akakua, fivestar, sankitahmasu, sindy and 76 guests