Page 1 of 1

DOS attacks and bandwidth shaping?

Posted: Wed Apr 29, 2015 4:45 pm
by popcorrin
I run a wisp and occasionally, maybe every 2-3 months, we get hit with a DOS attack.
Many of our customers are 4-5 wireless hops from our core and we do our bandwidth shaping at the CPE or the AP that the CPE connects to. When we get hit, the wireless hops between the core and the target get saturated and everyone suffers. I am thinking of doing our shaping( at least the download) at the core. I guess the only concern would be the extra cpu power to shape everyone at the core. Any thoughts.

DOS attacks and bandwidth shaping?

Posted: Thu Apr 30, 2015 6:52 am
by jarda
Can't you use firewall against those attacks? I would expect you were investigated it and know very well what kind of attack it is.

Re: DOS attacks and bandwidth shaping?

Posted: Thu Apr 30, 2015 9:54 pm
by popcorrin
I've looked through the wiki and I haven't seen any examples of firewall rules that would be very effective in protecting against a DDOS attack.

Re: DOS attacks and bandwidth shaping?

Posted: Thu Apr 30, 2015 11:16 pm
by amt
I've looked through the wiki and I haven't seen any examples of firewall rules that would be very effective in protecting against a DDOS attack.
Check this,
http://forum.mikrotik.com/viewtopic.php?f=2&t=54607

Re: DOS attacks and bandwidth shaping?

Posted: Thu Apr 30, 2015 11:18 pm
by rextended
I run a wisp
>>>we do our bandwidth shaping at the CPE or the AP that the CPE connects to
REALLY??? Why when you start the WISP do not do it at the border gateway???

>>>I am thinking of doing our shaping( at least the download) at the core.
The only right place to do shaping is the download at the border gateway and the upload at the CPE!!!

Re: DOS attacks and bandwidth shaping?

Posted: Tue Dec 15, 2015 7:07 pm
by popcorrin
Rextended, we've tried it both ways. Doing all the shaping at the border results in the router getting overloaded so we distribute the load.

And we are doing okay. The next time, if you want to ask a question about our strategy, just ask the question. Don't be a *****.

Re: DOS attacks and bandwidth shaping?

Posted: Tue Dec 15, 2015 7:40 pm
by ZeroByte
Rextended, we've tried it both ways. Doing all the shaping at the border results in the router getting overloaded so we distribute the load.

And we are doing okay. The next time, if you want to ask a question about our strategy, just ask the question. Don't be a *****.
Rextended is 100% correct. If you mitigate (inbound) DDoS traffic somewhere inside your network, then however many links it takes to carry the flood to your scrubbing system will be overloaded. Scrubbing right at the front door will stop your internal infrastructure from being burdened with the load. If you carry your users' upstream DDoS traffic to a scrubber, then whatever region of the network they're on will also be affected. You don't want to carry DDoS flood traffic even 1 hop more than required.

If the CPU of your upstream border router isn't beefy enough to handle the shaping on a DDoS flood, then you can try filtering the traffic entirely, and if even this isn't possible (due to the attack being completely random ports) or if even this overloads the CPU, then your only remaining option is to blackhole route the target IP until the storm goes by or else you can get your service provider's help in filtering the traffic before it reaches your network.

Re: DOS attacks and bandwidth shaping?

Posted: Mon Dec 21, 2015 7:55 am
by popcorrin
100% correct? Doesn't make much sense to shape at the core resulting in everyone get poor performance all the time, not just during an attack.
That might work for less than a 1000 clients but trying to shape thousands isn't going to happen efficiently on a single router, I don't care which mikrotik router you have.

Re: DOS attacks and bandwidth shaping?

Posted: Mon Dec 21, 2015 11:29 am
by p3rad0x
Next time you are under attack,

Torch the links to see what type of attack it is.

If your clients have public ip's set up on their CPE's. check if allow remote requests is turned off.

Had a issue where all my clients became open DNS relays causing the main links to ge saturated and the clients CPE was pinned at 100% usage.

If I may ask, how much bandwidth and packets are running over the internet facing ports and are they matching up with the usage on your main links combined?