Community discussions

MikroTik App
 
nuskope
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Wed Oct 22, 2008 3:11 pm
Location: Adelaide, South Australia
Contact:

DDOS detection script?

Sat May 31, 2014 12:44 pm

Hi all,

Like most we occasionally get a DDOS attack, they are annoying and in the range of 900+ Mbit so it sucks up all of our transit.

Luckily both our upstream providers support 'black hole' BGP groups, so we can advertise a BGP community for a /32 ip address and it goes down the black hole.

I already have a script I run that updates (and enables) the BGP filter rules, an the BGP networks with the corresponding customers /32 address, this then puts an end to the attack all the way to my providers providers provider!.
[currently we just edit the IP address in the script so it can do all the work.]

My issue now is automatically detecting it, when the attacks happen we see 1000's of connections. So my theory was to do a count on 'source' destinations and if there is over 1000 to any one IP address it will run the script.

has anyone got any idea or has done something like this before?
in theory would be good to schedule the script to check the connection count every 30 seconds?

Thanks
 
User avatar
scotthammersley
Member Candidate
Member Candidate
Posts: 230
Joined: Fri Feb 22, 2013 7:16 pm
Location: Jackson, MS
Contact:

Re: DDOS detection script?

Sat May 31, 2014 6:47 pm

Why would you not write a mangle and firewall rule that limits (and adds to an address list) the connection count to any once source on your WAN interface that exceeds a give value? Something like this maybe:

/ip firewall mangle
add action=add-src-to-address-list address-list=High_Connections chain=prerouting connection-limit=100,32 connection-state=new in-interface="YourWAN"

/ip firewall filter
add action=drop chain=input src-address-list=High_Connections in-interface="YourWAN"
 
nuskope
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Wed Oct 22, 2008 3:11 pm
Location: Adelaide, South Australia
Contact:

Re: DDOS detection script?

Sun Jun 01, 2014 8:28 am

For a true DDOS blocking it locally has little benefit.
Unless we advertise the BGP community back to our peers, the traffic will still be hitting the router, with high CPU load and max out our transits.

Advertising the community basically blocks the traffic all the way back to the Tier-1 international providers.
 
User avatar
scotthammersley
Member Candidate
Member Candidate
Posts: 230
Joined: Fri Feb 22, 2013 7:16 pm
Location: Jackson, MS
Contact:

Re: DDOS detection script?

Sun Jun 01, 2014 7:25 pm

Yes, I understand that, but you need a way of identifying the traffic first, which is the mangle rule I gave you. Once you identify the offender, then you can script to add to the BGP advertise filter list.

I just added the firewall rule in as an extra precaution.
 
manbot
just joined
Posts: 24
Joined: Sun Mar 23, 2014 1:28 am
Location: Minsk, Belarus
Contact:

Re: DDOS detection script?

Sun Jun 01, 2014 11:12 pm

Try this script:
http://wiki.mikrotik.com/wiki/DDoS_Dete ... d_Blocking


Отправлено с моего iPad используя Tapatalk
 
User avatar
scotthammersley
Member Candidate
Member Candidate
Posts: 230
Joined: Fri Feb 22, 2013 7:16 pm
Location: Jackson, MS
Contact:

Re: DDOS detection script?

Mon Jun 02, 2014 7:57 pm

That Wiki is relevant to stopping DDOS at the router itself. However he is looking to dynamically update his BGP black hole list.

Again though, both examples show how to identify traffic and place into an address list. You just need to script a way of adding them into your BGP lists.
 
nuskope
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Wed Oct 22, 2008 3:11 pm
Location: Adelaide, South Australia
Contact:

Re: DDOS detection script?

Fri Jan 16, 2015 2:09 pm

Over the last few months I have tried both of the options above for detecting DDOS however we get too many false positives.

I have scripts in place (as below for use by others) that once an address is added to the address list, using a scheduled task that runs every minute, the script automatically Black holes the IP to our upstream providers, after 10 minutes it is removed (usally that's all it takes for the attack to stop)

Im not sure if its because I have the connection limit set to low, but I have set it as high as 1000, and still get false positives.
we do not NAT, all users get their own /32 public ip address.

When a DDOS comes in, they have 1000's of connections open




detector - Run every minute by scheduler
;global ip
;set ip ""

:foreach n in=[/ip firewall address-list find list="ddosed"] do={ 
set ip [/ip firewall address-list get $n address]
}

:if ( $ip != "") do={
:log info "DDOS ATTACK";
;log info $ip
/system script run auto_DDOS

delay 5;

/log info "time updated; uptime: $[/system resource get uptime]"
:local es "DDOS on $[/system clock get date] $[/system clock get time]"
:local eb "$[/system identity get name] DDOS on $[/system clock get date] $[/system clock get time]     IP DDOSED: $ip"
/tool e-mail send to="emailaddress@nuskope.com.au" subject=$es body=$eb


:log info "DDOS-unblock in 10 minutes";
delay 60;
:log info "DDOS-unblock in 9 minutes";
delay 60;
:log info "DDOS-unblock in 8 minutes";
delay 60;
:log info "DDOS-unblock in 7 minutes";
delay 60;
:log info "DDOS-unblock in 6 minutes";
delay 60;
:log info "DDOS-unblock in 5 minutes";
delay 60;
:log info "DDOS-unblock in 4 minutes";
delay 60;
:log info "DDOS-unblock in 3 minutes";
delay 60;
:log info "DDOS-unblock in 2 minutes";
delay 60;
:log info "DDOS-unblock in 1 minute";
delay 60;
/system script run auto_DDOS_Disable
}

:if ( $ip = "") do={
:log info "no DDOS detected";
}
auto_DDOS - this is the script that adds the /32 to our BGP and also edits some filter rules to add a blackhole community to the ip address
:global ip

:log info "DDOS ATTACK";
;log info $ip

#Set the ip address in the filters
/routing filter set [ find comment ="DDOS"]  prefix=$ip

# Enable the rules
/routing filter enable [/routing filter find comment ="DDOS"] 

#Add the ip to the BGP network
/routing bgp network add network=$ip synchronize=no

# Make sure rules are at the top
:foreach n in=[/routing filter  find comment="DDOS"] do={ /routing filter  move $n [:pick [/routing filter find] 0] }

:foreach n in=[/routing filter  find comment="DDOS"] do={ /routing filter  move $n [:pick [/routing filter find] 0] }
auto_DDOS_Disable - disables the block

/routing filter disable [/routing filter find comment="DDOS"] 

:log info "DDOS-unblocked";
 
FutileNetworks
newbie
Posts: 36
Joined: Tue Jan 15, 2013 9:14 pm

Re: DDOS detection script?

Fri Jan 16, 2015 9:26 pm

The approach I've taken for RTBH and DDOS detecting on our edge routers is to use firewall filter rules to jump incoming small packet UDP and TCP to a detection chain rule, this accepts traffic under a certain threshold per destination IP, it's up to you what pps you consider a DDOS, any traffic exceeding the threshold is jumped to a new chain where the dst address is added to an address-list.

Once in the address-list a script adds a blackhole route with BGP MED of 666 and a routing filter then distributes this to an adjacent router with a separate dedicated circuit to our transit RTBH routers, this is in case the DDOS is large enough to take down our transit links. The script then removes the route which removes the RTBH after a few minutes just like yours.

Example of the detection rules for UDP packets...
add action=jump chain=forward dst-address=1.2.3.4/22 in-interface=sfp1--transit1 jump-target=udp-ddos packet-size=0-256 protocol=udp
add chain=udp-ddos dst-limit=100000,100000,dst-address/10s
add action=jump chain=udp-ddos jump-target=block-ddos
add action=add-dst-to-address-list address-list=ddos-rtbh address-list-timeout=1m chain=block-ddos
add action=log chain=block-ddos log-prefix="Block-DDOS added address"
I also have similar rules to detect TCP DDOS to cover most types of DDOS.
 
nuskope
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Wed Oct 22, 2008 3:11 pm
Location: Adelaide, South Australia
Contact:

Re: DDOS detection script?

Sun Jan 18, 2015 1:11 pm

This is what I have now, from the above posted wiki.
hwoever, my problem is after say 1-2 hours it starts adding IP's and after 12 hours it adds almost every ip on my network.

Its almost like its never clearing the connections, so it counts them and never resets the counters.

add action=log chain=notes comment="START DDOS Detection and Nurf"
add action=jump chain=forward connection-state=new disabled=yes in-interface="ether1 -  [Fiber1]" jump-target=detect-ddos
add action=return chain=detect-ddos disabled=yes dst-address-list=DNS_Servers
add action=return chain=detect-ddos disabled=yes src-address-list=DNS_Servers
add action=return chain=detect-ddos disabled=yes dst-limit=5000,6000,dst-address/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos connection-state=new disabled=yes dst-address-list=ddos_stage1
add action=add-dst-to-address-list address-list=ddos_stage1 address-list-timeout=1m chain=detect-ddos disabled=yes dst-address-list=NuskopeInternal
add action=add-src-to-address-list address-list=ddoser address-list-timeout=5m chain=detect-ddos disabled=yes src-address-list=!NuskopeInternal
add action=drop chain=forward connection-state=new disabled=yes dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=output connection-state=new disabled=yes dst-address-list=ddosed src-address-list=ddoser
add action=log chain=notes comment="END  DDOS Detection and Nurf"

Who is online

Users browsing this forum: HugoCar and 20 guests