Community discussions

MikroTik App
 
russman
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu May 20, 2010 7:23 pm

DDoS Mitigation - Bandwidth Depletion

Tue Oct 14, 2014 7:32 am

I've been searching around on the forums and haven't found what I'm looking for. It seems like most of the attacks reported are small amounts of bandwidth from 1000s of sources or a little bit of traffic that consumes CPU cycles.

I'm seeing large chunks of bandwidth, much bigger than any plan we offer currently, coming from a handful of source IPs that aren't always the same but are consistent thought the duration of any particular attack instance. My CCR is not having any system resource issues when this occurs. When in happens all my internal LAN traffic gets cut to 5-10% of normal and WAN traffic is maxing my fiber pipe out. I should have screen shot the data in torch since it didn't really show up in netflow data correctly but I'll see for example 77Mbps coming from one IP in China, 65Mbps coming from another, 46Mbps from one in Thailand, 44Mbps from one in Germany, etc. and maxes out the pipe until I add the IPs manually to a DDoS address list that drops the traffic or I wait the attack out. I'd like to automate this process since its becoming more common. I'd like to create a rule that if X IP generates 50+ MBps for more than 5sec than add it to the DDoS list. Any ideas?
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: DDoS Mitigation - Bandwidth Depletion

Tue Oct 14, 2014 8:33 am

Just throughput can be slightly misleading. What if someone downloads some huge amount of data intentionally from really capable server?
 
SystemErrorMessage
Member
Member
Posts: 380
Joined: Sat Dec 22, 2012 9:04 pm

Re: DDoS Mitigation - Bandwidth Depletion

Tue Oct 14, 2014 10:57 am

you could try traffic shaping to prevent your upload from being saturated by one user. It is considered an attack if the same source consistently performs it. Firewalls have an option of adding an ip to a list which you can than manipulate using a script. You can also block ips automatically by having the firewall drop traffic from ips of a list.
 
russman
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu May 20, 2010 7:23 pm

Re: DDoS Mitigation - Bandwidth Depletion

Tue Oct 14, 2014 4:00 pm

Most of our residential customers are NATed, this appears to all be input chain traffic on the WAN interface hitting the NAT public address. As I said, when it occurs our LAN traffic drops to 5-10% of normal (RX and TX) and the WAN traffic reaches the fiber pipes maximum downstream.
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 671
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Re: DDoS Mitigation - Bandwidth Depletion

Fri Oct 17, 2014 8:16 pm

viewtopic.php?f=2&t=89180

Who is online

Users browsing this forum: csntjessie, Majestic-12 [Bot], mrz, nz_monkey, xvo and 92 guests