Community discussions

 
ners
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Mar 12, 2013 4:30 pm

Per connection limit per time interval with burst on Mikroti

Tue Mar 12, 2013 4:34 pm

Hello, i'm moving from a FreeBSD-based router to a RouterBoard. I'm currently on 6.0rc11

I've been trying to implement anti-ddos protection for my servers, but I can't quite figure it out. Is there a way to mimic this set of PF rules?:
# anti ddos from 80 port
table <ddos80> persist
block in quick from <ddos80>

pass in quick on $AFF proto tcp from any to 81.200.12.10 port 80 keep state \
(max-src-conn 70, max-src-conn-rate 40/5, overload <ddos80> flush)

pass in quick on vlan500 proto tcp from any to 81.200.12.10 port 80 keep state \
(max-src-conn 70, max-src-conn-rate 40/5, overload <ddos80> flush)
To my current understanding, Mikrotik cannot do that (connlimit per time interval per ip and with burst)?
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: Per connection limit per time interval with burst on Mik

Tue Mar 12, 2013 5:09 pm

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
Read about 'dst-limit' matcher.

HTH,
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
ners
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Mar 12, 2013 4:30 pm

Re: Per connection limit per time interval with burst on Mik

Tue Mar 12, 2013 5:15 pm

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
Read about 'dst-limit' matcher.

HTH,
I read about it, but it does not solve my problem since it doesn't differentiate between separate source IPs. I mean it doesn't support a separate counter for each source IP, it's a global counter.
And also it limits packets per time interval, not connections per time interval (although I could workaround it with tracking SYNs).
Last edited by ners on Tue Mar 12, 2013 5:26 pm, edited 1 time in total.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Per connection limit per time interval with burst on Mik

Tue Mar 12, 2013 5:25 pm

If you set limit by src and dest then it will.
 
ners
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Mar 12, 2013 4:30 pm

Re: Per connection limit per time interval with burst on Mik

Tue Mar 12, 2013 5:53 pm

hm, do I understand this correctly, that this rule:
add action=jump chain=forward connection-state=new dst-port=80 jump-target=anti-ddos protocol=tcp
add action=return chain=anti-ddos dst-limit=40/5s,70,src-and-dst-addresses/1h
will match from a single IP up to 70 new connections (burst) and then 40 new connections in the interval of 5 seconds. The pair src-addr/dst-addr expires in 1 hour (I don't really understand what happens after it expires).
Will this work as I describe?
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: Per connection limit per time interval with burst on Mik

Tue Mar 12, 2013 10:44 pm

IMHO it should be:

ros code

add action=jump chain=forward connection-state=new dst-port=80 jump-target=anti-ddos protocol=tcp
add action=return chain=anti-ddos dst-limit=40/5s,70,src-and-dst-addresses/1h
add action=drop chain=anti-ddos
Line 2 allows up to 40 new connections in the interval of 5 seconds, line 3 explicitly drops packets if number of new connections is above 40/5s.
This post should be also useful for you in case of DDoS attack.
The pair src-addr/dst-addr expires in 1 hour (I don't really understand what happens after it expires).
All counters for this particular src-addr/dst-addr pair are deleted and measurement starts from beginning.

HTH,
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert

Who is online

Users browsing this forum: No registered users and 68 guests