We run ours at 1200Mhz and it seems to work just fine.

We run ours at 1200Mhz and it seems to work just fine.

Interesting use case for Mikrotik. Do you have any strategy in place for DDoS attacks? How well is the 1072 handling that many peers?

Interesting use case for Mikrotik. Do you have any strategy in place for DDoS attacks? How well is the 1072 handling that many peers?

For DDoS - Andrisoft Wanguard + RTBH and Source-based blackhole - (set RP Filter to Loose is an absolute must - viewtopic.php?t=114664).
You can of course scrub incoming traffic during a DDoS until a certain limit is reached and then enforce the blackholes.

The 1072 usually stand up well depending on the type and size of the DDoS and whether or not you are using Fastpath.
Most issues occur when the firewall is enabled, causing inspection of packets coming in.

In normal fastpath mode with the CPU at 1200Mhz it does (according to Mikrotik tests) 86 mpps & 44 gbps @ 64 bytes.
If 25 firewall rules are applied, this drops dramatically to 5.8mpps and 3gbps @ 64bytes.

Interesting use case for Mikrotik. Do you have any strategy in place for DDoS attacks? How well is the 1072 handling that many peers?

For DDoS - Andrisoft Wanguard + RTBH and Source-based blackhole - (set RP Filter to Loose is an absolute must - viewtopic.php?t=114664).
You can of course scrub incoming traffic during a DDoS until a certain limit is reached and then enforce the blackholes.

The 1072 usually stand up well depending on the type and size of the DDoS and whether or not you are using Fastpath.
Most issues occur when the firewall is enabled, causing inspection of packets coming in.

In normal fastpath mode with the CPU at 1200Mhz it does (according to Mikrotik tests) 86 mpps & 44 gbps @ 64 bytes.
If 25 firewall rules are applied, this drops dramatically to 5.8mpps and 3gbps @ 64bytes.

Is it possible to secure the router (remote management etc) without such a big performance hit? IP RAW filters maybe?

@Ascendo For DDoS we're highly specialized on that. For uplinks and edge we use ASR9k. As distribution nexus. But we're now creating a parallels network and mikrotik seems to be fine. This is the project we're building

http://seflow.net/2/index.php/en/blog/s ... on-roadmap
(please if is considered spam remove the link).

For this use we planned to configure 1072 mikrotik on every IX. Now on Milan, with 57 active peers this is the usage (5.8Gbps troughtput)

NAME CPU USAGE
spi 0%
ethernet 0%
console 0%
firewall 1.3%
networking 14.4%
management 0.6%
routing 0.4%
profiling 0.1%
unclassified 0.1%
total 16.9%


Router was put in production about 2 days ago and all ddos received not created any issue, but we use only for peer and we not do incoming firewalling, Mitigation is doing with traffic diversion feature. We have only outbound firewalling raw rules to avoid spoofing

For all users that do bgp in full route, i suggest to peer with cymru bogons this save incoming firewall rules and resource. Is an open source project http://www.team-cymru.org/bogon-reference-bgp.html

We run ours at 1200Mhz and it seems to work just fine.

We run ours at 1200Mhz and it seems to work just fine.

we are thinking to buy CCR1072 for just firewall is it a right move ?

here our topic: viewtopic.php?f=13&t=121781

We run ours at 1200Mhz and it seems to work just fine.

we are thinking to buy CCR1072 for just firewall is it a right move ?

here our topic: viewtopic.php?f=13&t=121781

I would definitely not use an CCR as a firewall that you are expecting to take punishment, the clock speed on the CPU isn't good enough for high packet inspection and it will probably fall over.
A firewall (in general) is never going to stop a volumetric DDoS attack, even with drop rules.
This is because a packet still has to come in on the incoming interface in order to be inspected by the firewall before a decission to drop it is made.
Here is a youtube video I made showing this - https://www.youtube.com/watch?v=SHjBbbF ... e=youtu.be
Even when the drop rule is enabled, traffic still hits the incoming interface and there is still load on the router.
When a blackhole is used, the packets accepted on the incoming interface drop and so does the CPU load.


You better off splitting your protection into DDoS protection and application / access control.
For DDoS protection, use something like fastnetmon or Wanguard to help mitigate volumetric type attacks whereby you can setup BGP with your routers, enable loose RP-Filters and blackhole the destination or source IP addresses.

Then a decent firewall for application / access control. At the highend, I would recommend the fortigate firewalls, we use them extensively for IDS/IPS and firewalling and they work great, however they are expensive. On the lower-end, Use a server with decent 10G network interfaces and a E3-1200v6 or E5-1600v4 Processor (clock speed above cores) and load up pfsense. You can use suricata or snort on pfsense for the IDP/IPS side of things and the pfsense firewall is rock solid.

Thanks for replying.

I read all of your posts on this forum. I am really new to mikrotik.
You are suggesting us to use blackhole which is ip null route right ? That method is that we cant use. we cant null client's ip otherwise they will leave us. We need to protect them no matter what happens. If is it possible to null only coming ips i think it could solve our problem. You are the second specialist who recommends us fortigate which is reall above our budget.

We have 2x10G uplink to use. We are gonna try RouterOS on i7 7700K to see how will react when we get ddos with out IP firewall rules. If it works we will use otherwise we need E3-Model cpus like Intel Xeon E3-1240 v5.

We dont have any idea how to use fastnetmon or pfsense. We can learn of course if its gonna solve our problem.

Again thanks for helping us we really need help to solve this problem.

Thanks for replying.

I read all of your posts on this forum. I am really new to mikrotik.
You are suggesting us to use blackhole which is ip null route right ? That method is that we cant use. we cant null client's ip otherwise they will leave us. We need to protect them no matter what happens. If is it possible to null only coming ips i think it could solve our problem. You are the second specialist who recommends us fortigate which is reall above our budget.

We have 2x10G uplink to use. We are gonna try RouterOS on i7 7700K to see how will react when we get ddos with out IP firewall rules. If it works we will use otherwise we need E3-Model cpus like Intel Xeon E3-1240 v5.

We dont have any idea how to use fastnetmon or pfsense. We can learn of course if its gonna solve our problem.

Again thanks for helping us we really need help to solve this problem.

You don't need to blackhole your client's IP's, you can blackhole incoming source IP's.
To do this, you would put fastnetmon on a server and setup a BGP session with your mikrotiks (or other routers).
Set your routers to export a netflow / sflow to the fastnetmon server.
When fastnetmon pick's up a DDoS attack, it advertises the abusive IP's to your routers which then get blackholed dynamically.
There is a Mikrotik plugin for fastnetmon to make this implimentation easier - https://github.com/pavel-odintsov/fastn ... tik_plugin

after furter investigation we realized that the issue is not on cpu frequency that was changed 7 days ago, but the flow exporter. We did some changes todat like move from all interfaces to selected one and changing inactive and active timeouts.

I reverting back these parameters, meanwhile generated supout file and sent tu support@

hi,
yes my previous consideration was wrong, the issue is confirmed on CPU overclock. We identified it keeping serial console opened and after reboot you see a message related to cpu error, something like:

"processor error"

Honestly i think they never developed/tested this product at 1200Mhz so they not know what reply on support request. Checking the exact error we see that the issue is related to hardware bug on 1200Mhz (that i think tile fixed on TLR4-07280DG-12CE A0a with 1866 memory support) and not on o.s. level.

[admin@rt-bgp01.jhb] > /system routerboard settings set cpu-frequency=
400MHz  600MHz  800MHz  1000MHz  1200MHz