Community discussions

MUM Europe 2020
 
posetr
just joined
Topic Author
Posts: 7
Joined: Thu Feb 14, 2013 6:00 pm

Syn flood protection

Thu Feb 21, 2013 11:40 pm

Hello , i am searching to protect from syn floods from spoof addresses since i bought routerboard CCR1036-12G-4S without any luck.
When syn attack comes to mikrotik after 50mbit (prox 5000pps/sec) cpu goes crazy and makes device unaccesible. I found some articles witch is block whole new reqests when syn attack comes. So it wont help becuse all network already unaccesible with that rules below :
http://wiki.mikrotik.com/wiki/DoS_attack_protection

Any advice appreciated :(
 
nmaton
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Fri Feb 18, 2011 12:31 am

Re: Syn flood protection

Sat Mar 02, 2013 4:10 pm

have you tried to disable connection tracking for a short period of time?
all connections are then new after you reenable it.

connection tracking is in ip firewall
Nicolas Maton
nicolasmaton@gmail.com

CCNA/ CCDA
MTCNA / MTCTCE

Available for Mikrotik Consulting
 
raz
Member Candidate
Member Candidate
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Syn flood protection

Sun Mar 03, 2013 11:00 pm

Try to analyze the TCP Packets, and search a scheme. Seems that the Packets are with len 0 or 1, then you can easy drop this. On my 1100 AH with 1,5 GB RAM i can block in this case 100k pps. But then is CPU @ 95%
 
texmeshtexas
newbie
Posts: 36
Joined: Sat Oct 11, 2008 11:17 pm

Re: Syn flood protection

Sat Mar 22, 2014 2:32 am

I've found that this does not work.

http://wiki.mikrotik.com/wiki/DoS_attack_protection
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
action=drop comment="" disabled=no

The limit rule matches at anything over the 400,5. So low connections will be dropped!
The 2nd and 3rd rule need the action swapped.
Anyone agree?

Who is online

Users browsing this forum: No registered users and 70 guests