Page 1 of 1

Dealing with massive DDoS

Posted: Tue Mar 26, 2013 12:11 pm
by majkel
Hello :)

I need help with optimization of my firewall rules.. I have CCR 1036 with 14Gbit of band

When I get ddos atack on UDP everything is grate.. I observed attack near 8Gbit and Cpu of all cores was mayby 5%

The problem is when I get ddos attack on TCP..

on attacks near 500mbit the all cores using 100% cpu..

on 250mbit - about 50%

on 50mbit attack 10%

Can someone help me with this?

TCP syncookes are enabled in firewall connection tracking.

Thenk u
7 ;;; Blokada UDP Port 80
chain=forward action=drop protocol=udp port=80

8 chain=input action=accept src-address=80.72.*.*

9 ;;; White Lista
chain=forward action=accept src-address-list=white_list dst-address-list=""

10 ;;; accept established connection packets
chain=input action=accept connection-state=established

11 ;;; accept related connection packets
chain=input action=accept connection-state=related

12 ;;; drop invalid packets
chain=input action=drop connection-state=invalid

13 ;;; detect and drop port scan connections
chain=input action=drop protocol=tcp psd=21,3s,3,1

14 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list connection-limit=3,32

15 ;;; detect DoS attack
chain=input action=add-src-to-address-list protocol=tcp address-list=black_list address-list-timeout=1d connection-limit=100,32

16 ;;; jump to chain ICMP
chain=input action=jump jump-target=ICMP protocol=icmp

17 ;;; jump to chain services
chain=input action=jump jump-target=services

18 ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast

19 chain=input action=log log-prefix="Filter:"

20 ;;; 0:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=5,5

21 ;;; 3:3 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=3:3 limit=5,5

22 ;;; 3:4 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=3:4 limit=5,5

23 ;;; 8:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=8:0-255 limit=5,5

24 ;;; 11:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=11:0-255 limit=5,5

25 ;;; drop everything else
chain=input action=drop

26 ;;; Drop everything else
chain=ICMP action=drop protocol=icmp

27 ;;; accept localhost
chain=services action=accept dst-address=127.0.0.1 src-address-list=127.0.0.1

28 ;;; allow MACwinbox
chain=services action=accept protocol=udp dst-port=20561

29 ;;; allow winbox
chain=services action=accept protocol=tcp dst-port=8291

30 ;;; MT API
chain=services action=accept protocol=tcp dst-port=8728

31 ;;; MT Discovery Protocol
chain=services action=accept protocol=udp dst-port=5678

32 ;;; allow SNMP
chain=services action=accept protocol=tcp dst-port=161

33 ;;; allow DNS request
chain=services action=accept protocol=tcp dst-port=53

34 ;;; Web
chain=services action=accept protocol=tcp dst-port=2222

35 ;;; Allow DNS request
chain=services action=accept protocol=udp dst-port=53

36 chain=services action=return

37 ;;; ETOP DNS
chain=forward action=accept src-address-list=ETOP

38 ;;; ETOP DNS
chain=forward action=accept dst-address-list=ETOP

39 ;;; allow related connections
chain=forward action=accept connection-state=related

40 ;;; Prawid owe pakiety
chain=forward action=accept connection-state=established

41 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid

42 ;;; SYN Flood protect
chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp

43 chain=SYN-Protect action=accept tcp-flags=syn connection-state=new protocol=tcp limit=1000,100 dst-limit=0,5,dst-address/1m40s

44 chain=SYN-Protect action=drop tcp-flags=syn connection-state=new protocol=tcp

45 chain=forward action=jump jump-target=detect-ddos connection-state=new

46 chain=forward action=log connection-state=new hotspot="" log-prefix="ddos_udp:"

47 chain=detect-ddos_TCP action=return dst-limit=30/1m,5,src-and-dst-addresses/10s

48 ;;; packet size 500-65000
chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=1h packet-size=500-65000

49 ;;; Rate limit UDP
chain=detect-ddos action=return dst-limit=30/1m,5,src-and-dst-addresses/10s

50 chain=detect-ddos action=return src-address=80.72.*.*

51 chain=detect-ddos action=return src-address=80.72.*.*

52 chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10h30m

53 chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10h

54 ;;; Drop from ddoser-list
chain=forward action=drop src-address-list=ddoser dst-address-list=ddosed

55 chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed

Re: Dealing with massive DDoS

Posted: Wed Mar 27, 2013 10:51 pm
by Chupaka
please read my topic http://forum.mikrotik.com/viewtopic.php?f=2&t=54607 about ddos and 'connection-limit' :)

Re: Dealing with massive DDoS

Posted: Mon Apr 01, 2013 3:01 pm
by raz
The Connlimit will not help, it seems that is there a Problem with spoofed Source IPs, yes there a lot of DC's they allow this...

The Problem is here SYN, called from the Scriptkiddies "Super Syn"... Here is an Example, what they are using:
    iph->ihl = 5;
    iph->version = 4;
    iph->tos = 0;
    iph->tot_len = sizeof (struct ip) + sizeof (struct tcphdr);
    iph->id = htonl (54321); 
    iph->frag_off = 0;
    iph->ttl = 255;
    iph->protocol = IPPROTO_TCP;
    iph->check = 0; 
    iph->saddr = inet_addr(ip); 
    iph->daddr = sin.sin_addr.s_addr;
 
    iph->check = csum ((unsigned short *) packet, iph->tot_len >> 1);
 
    tcph->source = htons (1234);
    tcph->dest = htons (80);
    tcph->seq = 0;
    tcph->ack_seq = 0;
    tcph->doff = 5;
    tcph->fin=0;
    tcph->syn=1;
    tcph->rst=0;
    tcph->psh=0;
    tcph->ack=0;
    tcph->urg=0;
    tcph->window = htons (5840);
    tcph->check = 0;/* We fill this in later */
    tcph->urg_ptr = 0;
This Script kills the strongest CCR in 30 Seconds without filtering.
You see the Flags? Create a Filter and Filter the Scheme of these Attacker Packets. So i can filter up to 500k pps (!) on my CCR. I only run there BGP and my Bandwith is average 100-150 MBit's. My best was around 900 MBit SYN, with 50-60% CPU Usage, but the Attackers used always the same Packet:
0000: d4 ca 6d 77 7f a3 84 18  88 06 10 52 08 00 45 00  ..mw.... ...R..E.
0010: 02 1c 28 c8 00 00 3d 06  5d 65 34 3a fe 27 05 53  ..(...=. ]e4:.'.S
0020: bd fa 99 40 00 50 15 ab  3d bb 1b be 46 2e 50 02  ...@.P.. =...F.P.
0030: 00 40 22 d6 00 00 58 58  58 58 58 58 58 58 58 58  .@"...XX XXXXXXXX
0040: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0050: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0060: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0070: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0080: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0090: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00a0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00b0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00c0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00d0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00e0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
00f0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0100: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0110: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0120: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0130: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0140: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0150: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0160: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0170: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0180: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0190: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01a0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01b0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01c0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01d0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01e0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
01f0: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0200: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0210: 58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXX XXXXXXXX
0220: 58 58 58 58 58 58 58 58  58 58                    XXXXXXXX XX
The Problem is with Microtik it isnt possible Packets specified by length.
tshark tcp port 80
0.787910 151.46.220.237 -> { MY IP } TCP 37424 > http [SYN] Seq=0 Win=512 Len=0
0.787913 151.46.220.244 -> { MY IP } TCP 36658 > http [SYN] Seq=0 Win=512 Len=0
0.787915 151.46.220.245 -> { MY IP } TCP 19989 > http [SYN] Seq=0 Win=512 Len=0
0.787917 151.46.220.243 -> { MY IP } TCP 25404 > http [SYN] Seq=0 Win=512 Len=0
In this Case of DDoS you have to search for Patterns, and yes its a Game you have always to change something on your /ip firewall, because Attackers changed Parameters.

Re: Dealing with massive DDoS

Posted: Sat Apr 13, 2013 9:47 am
by majkel
raz Can you contact with me? michal@skyblue.pl ?

Re: Dealing with massive DDoS

Posted: Sat Apr 13, 2013 4:35 pm
by raz
i sent you a Mail :-)

Re: Dealing with massive DDoS

Posted: Sat Apr 20, 2013 6:27 pm
by tgrand
Wow we took an attack at 800Mbps UDP port 0.
Only way to combat, is to have the attacked on your local address space blocked further upstream.