Community discussions

MikroTik App
 
nuclearcat
Member Candidate
Member Candidate
Topic Author
Posts: 115
Joined: Fri Jun 02, 2006 1:52 pm

raw table, NOTRACK, SYN flood

Sat Dec 14, 2013 3:46 am

Hi

I have a customers who love your products, are subject to DDoS attacks (SYN flood), and it hurts that Mikrotik doesn't have "notrack" target, just SYN flood over his CCR will knock down CPU to 100%.
And if it had -j NOTRACK (or newer kernels: -j CT --notrack), it can be solved, he needed conntrack only for special case, and cannot turn it off completely.
Please consider adding this option, it should be very trivial to do, and will help a lot of people to solve their issues with conntrack overflow.
If possible take this matter seriously, because the only choice i have to show them how perfect are Mikrotik support, or to explain it is not, and to move them to alternative solution.

Thank you.
 
DrDeft
just joined
Posts: 21
Joined: Sat Jun 30, 2012 2:16 pm

Re: raw table, NOTRACK, SYN flood

Sat Dec 14, 2013 7:44 pm

We can confirm this issue. Impossible to solve issue on any version ov RouterOS. Anybody can cause 100% CPU load on CCR oe any other Mikrotik router. Ih hurts...
 
DrDeft
just joined
Posts: 21
Joined: Sat Jun 30, 2012 2:16 pm

Re: raw table, NOTRACK, SYN flood

Fri Dec 20, 2013 3:08 pm

u_p
 
eflanery
Member
Member
Posts: 376
Joined: Fri May 28, 2004 10:11 pm
Location: Moscow, ID
Contact:

Re: raw table, NOTRACK, SYN flood

Fri Dec 20, 2013 9:02 pm

+1, would be a great addition.

But, it is currently possible to solve the problem using two MT devices.

One closest to the connection where the SYN floods are received, with conntrack disabled, and stateless firewall rules to drop the problematic packets.

Then another MT device behind that, with conntrack enabled, performing whatever conntrack-utilizing operations you need.

--Eric
 
DrDeft
just joined
Posts: 21
Joined: Sat Jun 30, 2012 2:16 pm

Re: raw table, NOTRACK, SYN flood

Fri Jan 10, 2014 9:54 pm

up_
 
doush
Long time Member
Long time Member
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: raw table, NOTRACK, SYN flood

Fri Jan 17, 2014 12:22 pm

+1.
Easily %100 under dDOS
 
DrDeft
just joined
Posts: 21
Joined: Sat Jun 30, 2012 2:16 pm

Re: raw table, NOTRACK, SYN flood

Sun Feb 02, 2014 3:55 pm

Is it fixed in ROS 6.9 ?
 
lavv17
Member Candidate
Member Candidate
Posts: 120
Joined: Sat Sep 01, 2007 9:01 am

Re: raw table, NOTRACK, SYN flood

Fri Jun 10, 2016 4:05 pm

+1
This addition could save some resources on the routers.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: raw table, NOTRACK, SYN flood

Fri Jun 10, 2016 4:11 pm

FYI information it is implemented:
What's new in 6.36rc...   :
...
*) firewall - added "/interface list" menu which allows to create list of interfaces which can be used as in/out-interface-list matcher in firewall;
*) firewall - added pre-connection tracking filter - "raw"  table, that allow to protect connection-tracking from unnecessary traffic;
*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);
...
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: raw table, NOTRACK, SYN flood

Sat Jun 11, 2016 2:47 pm

cool.but aside raw table that remove most overhead(because skipping before any processing happens)mentioned in changelog would admit that some networkers - didn't implement flood detection(including syn flood) in their interfaces(sometimes its make sense not only on WAN interfaces, btw. espacially in big companies/networks), which is in my opinion A MUST for atleast edge/border gear. same about port scan detection and other usual things. personally i also would love fwsnort-alike features in ROS or something relevant around. and ZORP package(even as paid option) :P

Who is online

Users browsing this forum: Bing [Bot], godel0914, h3x00r and 68 guests