Over the last few months I have tried both of the options above for detecting DDOS however we get too many false positives.
I have scripts in place (as below for use by others) that once an address is added to the address list, using a scheduled task that runs every minute, the script automatically Black holes the IP to our upstream providers, after 10 minutes it is removed (usally that's all it takes for the attack to stop)
Im not sure if its because I have the connection limit set to low, but I have set it as high as 1000, and still get false positives.
we do not NAT, all users get their own /32 public ip address.
When a DDOS comes in, they have 1000's of connections open
detector - Run every minute by scheduler
;global ip
;set ip ""
:foreach n in=[/ip firewall address-list find list="ddosed"] do={
set ip [/ip firewall address-list get $n address]
}
:if ( $ip != "") do={
:log info "DDOS ATTACK";
;log info $ip
/system script run auto_DDOS
delay 5;
/log info "time updated; uptime: $[/system resource get uptime]"
:local es "DDOS on $[/system clock get date] $[/system clock get time]"
:local eb "$[/system identity get name] DDOS on $[/system clock get date] $[/system clock get time] IP DDOSED: $ip"
/tool e-mail send to="emailaddress@nuskope.com.au" subject=$es body=$eb
:log info "DDOS-unblock in 10 minutes";
delay 60;
:log info "DDOS-unblock in 9 minutes";
delay 60;
:log info "DDOS-unblock in 8 minutes";
delay 60;
:log info "DDOS-unblock in 7 minutes";
delay 60;
:log info "DDOS-unblock in 6 minutes";
delay 60;
:log info "DDOS-unblock in 5 minutes";
delay 60;
:log info "DDOS-unblock in 4 minutes";
delay 60;
:log info "DDOS-unblock in 3 minutes";
delay 60;
:log info "DDOS-unblock in 2 minutes";
delay 60;
:log info "DDOS-unblock in 1 minute";
delay 60;
/system script run auto_DDOS_Disable
}
:if ( $ip = "") do={
:log info "no DDOS detected";
}
auto_DDOS - this is the script that adds the /32 to our BGP and also edits some filter rules to add a blackhole community to the ip address
:global ip
:log info "DDOS ATTACK";
;log info $ip
#Set the ip address in the filters
/routing filter set [ find comment ="DDOS"] prefix=$ip
# Enable the rules
/routing filter enable [/routing filter find comment ="DDOS"]
#Add the ip to the BGP network
/routing bgp network add network=$ip synchronize=no
# Make sure rules are at the top
:foreach n in=[/routing filter find comment="DDOS"] do={ /routing filter move $n [:pick [/routing filter find] 0] }
:foreach n in=[/routing filter find comment="DDOS"] do={ /routing filter move $n [:pick [/routing filter find] 0] }
auto_DDOS_Disable - disables the block
/routing filter disable [/routing filter find comment="DDOS"]
:log info "DDOS-unblocked";