Community discussions

MUM Europe 2020
 
majkel
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 16, 2013 8:23 am

Dealing with massive DDoS

Tue Mar 26, 2013 12:11 pm

Hello :)

I need help with optimization of my firewall rules.. I have CCR 1036 with 14Gbit of band

When I get ddos atack on UDP everything is grate.. I observed attack near 8Gbit and Cpu of all cores was mayby 5%

The problem is when I get ddos attack on TCP..

on attacks near 500mbit the all cores using 100% cpu..

on 250mbit - about 50%

on 50mbit attack 10%

Can someone help me with this?

TCP syncookes are enabled in firewall connection tracking.

Thenk u
7 ;;; Blokada UDP Port 80
chain=forward action=drop protocol=udp port=80

8 chain=input action=accept src-address=80.72.*.*

9 ;;; White Lista
chain=forward action=accept src-address-list=white_list dst-address-list=""

10 ;;; accept established connection packets
chain=input action=accept connection-state=established

11 ;;; accept related connection packets
chain=input action=accept connection-state=related

12 ;;; drop invalid packets
chain=input action=drop connection-state=invalid

13 ;;; detect and drop port scan connections
chain=input action=drop protocol=tcp psd=21,3s,3,1

14 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list connection-limit=3,32

15 ;;; detect DoS attack
chain=input action=add-src-to-address-list protocol=tcp address-list=black_list address-list-timeout=1d connection-limit=100,32

16 ;;; jump to chain ICMP
chain=input action=jump jump-target=ICMP protocol=icmp

17 ;;; jump to chain services
chain=input action=jump jump-target=services

18 ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast

19 chain=input action=log log-prefix="Filter:"

20 ;;; 0:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=5,5

21 ;;; 3:3 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=3:3 limit=5,5

22 ;;; 3:4 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=3:4 limit=5,5

23 ;;; 8:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=8:0-255 limit=5,5

24 ;;; 11:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=11:0-255 limit=5,5

25 ;;; drop everything else
chain=input action=drop

26 ;;; Drop everything else
chain=ICMP action=drop protocol=icmp

27 ;;; accept localhost
chain=services action=accept dst-address=127.0.0.1 src-address-list=127.0.0.1

28 ;;; allow MACwinbox
chain=services action=accept protocol=udp dst-port=20561

29 ;;; allow winbox
chain=services action=accept protocol=tcp dst-port=8291

30 ;;; MT API
chain=services action=accept protocol=tcp dst-port=8728

31 ;;; MT Discovery Protocol
chain=services action=accept protocol=udp dst-port=5678

32 ;;; allow SNMP
chain=services action=accept protocol=tcp dst-port=161

33 ;;; allow DNS request
chain=services action=accept protocol=tcp dst-port=53

34 ;;; Web
chain=services action=accept protocol=tcp dst-port=2222

35 ;;; Allow DNS request
chain=services action=accept protocol=udp dst-port=53

36 chain=services action=return

37 ;;; ETOP DNS
chain=forward action=accept src-address-list=ETOP

38 ;;; ETOP DNS
chain=forward action=accept dst-address-list=ETOP

39 ;;; allow related connections
chain=forward action=accept connection-state=related

40 ;;; Prawid owe pakiety
chain=forward action=accept connection-state=established

41 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid

42 ;;; SYN Flood protect
chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp

43 chain=SYN-Protect action=accept tcp-flags=syn connection-state=new protocol=tcp limit=1000,100 dst-limit=0,5,dst-address/1m40s

44 chain=SYN-Protect action=drop tcp-flags=syn connection-state=new protocol=tcp

45 chain=forward action=jump jump-target=detect-ddos connection-state=new

46 chain=forward action=log connection-state=new hotspot="" log-prefix="ddos_udp:"

47 chain=detect-ddos_TCP action=return dst-limit=30/1m,5,src-and-dst-addresses/10s

48 ;;; packet size 500-65000
chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=1h packet-size=500-65000

49 ;;; Rate limit UDP
chain=detect-ddos action=return dst-limit=30/1m,5,src-and-dst-addresses/10s

50 chain=detect-ddos action=return src-address=80.72.*.*

51 chain=detect-ddos action=return src-address=80.72.*.*

52 chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10h30m

53 chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10h

54 ;;; Drop from ddoser-list
chain=forward action=drop src-address-list=ddoser dst-address-list=ddosed

55 chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Dealing with massive DDoS

Wed Mar 27, 2013 10:51 pm

please read my topic http://forum.mikrotik.com/viewtopic.php?f=2&t=54607 about ddos and 'connection-limit' :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
raz
Member Candidate
Member Candidate
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Dealing with massive DDoS

Mon Apr 01, 2013 3:01 pm

The Connlimit will not help, it seems that is there a Problem with spoofed Source IPs, yes there a lot of DC's they allow this...

The Problem is here SYN, called from the Scriptkiddies "Super Syn"... Here is an Example, what they are using:
    iph->ihl = 5;
    iph->version = 4;
    iph->tos = 0;
    iph->tot_len = sizeof (struct ip) + sizeof (struct tcphdr);
    iph->id = htonl (54321); 
    iph->frag_off = 0;
    iph->ttl = 255;
    iph->protocol = IPPROTO_TCP;
    iph->check = 0; 
    iph->saddr = inet_addr(ip); 
    iph->daddr = sin.sin_addr.s_addr;
 
    iph->check = csum ((unsigned short *) packet, iph->tot_len >> 1);
 
    tcph->source = htons (1234);
    tcph->dest = htons (80);
    tcph->seq = 0;
    tcph->ack_seq = 0;
    tcph->doff = 5;
    tcph->fin=0;
    tcph->syn=1;
    tcph->rst=0;
    tcph->psh=0;
    tcph->ack=0;
    tcph->urg=0;
    tcph->window = htons (5840);
    tcph->check = 0;/* We fill this in later */
    tcph->urg_ptr = 0;
This Script kills the strongest CCR in 30 Seconds without filtering.
You see the Flags? Create a Filter and Filter the Scheme of these Attacker Packets. So i can filter up to 500k pps (!) on my CCR. I only run there BGP and my Bandwith is average 100-150 MBit's. My best was around 900 MBit SYN, with 50-60% CPU Usage, but the Attackers used always the same Packet:
0000: d4 ca 6d 77 7f a3 84 18  88 06 10 52 08 00 45 00  ..mw.... ...R..E.
0010: 02 1c 28 c8 00 00 3d 06  5d 65 34 3a fe 27 05 53  ..(...=. ]e4:.'.S
0020: bd fa 99 40 00 50 15 ab  3d bb 1b be 46 2e 50 02  ...@.P.. =...F.P.
0030: 00 40 22 d6 00 00 58 58  58 58 58 58 58 58 58 58  .@"...XX XXXXXXXX
0040: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0050: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0060: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0070: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0080: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0090: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00a0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00b0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00c0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00d0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00e0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00f0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0100: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0110: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0120: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0130: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0140: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0150: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0160: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0170: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0180: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0190: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01a0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01b0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01c0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01d0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01e0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01f0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0200: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0210: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0220: 58 58 58 58 58 58 58 58  58 58                    XXXXXXXX XX
The Problem is with Microtik it isnt possible Packets specified by length.
tshark tcp port 80
0.787910 151.46.220.237 -> { MY IP } TCP 37424 > http [SYN] Seq=0 Win=512 Len=0
0.787913 151.46.220.244 -> { MY IP } TCP 36658 > http [SYN] Seq=0 Win=512 Len=0
0.787915 151.46.220.245 -> { MY IP } TCP 19989 > http [SYN] Seq=0 Win=512 Len=0
0.787917 151.46.220.243 -> { MY IP } TCP 25404 > http [SYN] Seq=0 Win=512 Len=0
In this Case of DDoS you have to search for Patterns, and yes its a Game you have always to change something on your /ip firewall, because Attackers changed Parameters.
 
majkel
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 16, 2013 8:23 am

Re: Dealing with massive DDoS

Sat Apr 13, 2013 9:47 am

raz Can you contact with me? michal@skyblue.pl ?
 
raz
Member Candidate
Member Candidate
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: Dealing with massive DDoS

Sat Apr 13, 2013 4:35 pm

i sent you a Mail :-)
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 671
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Re: Dealing with massive DDoS

Sat Apr 20, 2013 6:27 pm

Wow we took an attack at 800Mbps UDP port 0.
Only way to combat, is to have the attacked on your local address space blocked further upstream.

Who is online

Users browsing this forum: MSN [Bot] and 68 guests