Hi all,
DDOS. need i say more? crippled us over the last week. Had to have upstream isp blackhole the offending static route for 48 hours. Changing it didnt matter. Some LAN device is likely asking for it/report the IP.
Didnt have any filter rules before. 2 years of no problems. I learned my lesson.
Take alook at what ive got. I put some thought into input vs forward chains. As the DDOS we had was port 1900 udp to our router @ 5.1gbps, flooding the port and resulting in total packet loss for the duration. 48 hours later, we have enabled the route again, its been 2 hours, no attack yet, but likely the device that is asking for it is not online yet.
A few things i am looking for:
- feed back on the order of my filters. Do i need to re-org them?
- Im new to jump rules, I have DDOS ones on the input chain, and virus ones on the forward. Do i need to block those ports outbound too? keep the virus from being able to talk out? Would that be a third jump chain on the output? Should i make the virus+DDOS list the same list and make 3 jump chains? one for in, out, and forward? is too many jumps going to tank my router proc?
- i also put a simple queue at 230M Down 100M UP to see if that helps me still be able to get into the router during an attack, albeit likely maxing the proccessor when 5.1gbps is being sent to the ip router no matter what i do.
I have attached the current setup via screen shot. easier to read than script.
Any help would be awesome. Also wondering about making my DDOS chain bigger. I was watching the NORSE map on http://map.ipviking.com/ and wondering if i should just add ALL those ports to the input chain? in and out chain?
Thank you for the mentorship!
ps: 250mbps up/down fiber
RB1100AH (not x2) OS 6.12
with average usage @ 110mbps Down 10 Up and current filters/nat, cpu is at 35-45%