Community discussions

MikroTik App
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

DDOS attack need help

Sun May 07, 2023 4:12 pm

hello i have many ddos attacks who can help to configure my mikrotik to stop that ? thx
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DDOS attack need help

Sun May 07, 2023 4:22 pm

@anav is waiting your reply from 2022
viewtopic.php?p=908859#p908941

Would you like help without even thanking or replying?

Ask your ISP, you can not do anything useful for stop DDoS, except close all your open services to the world, that cause the attacks.
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Sun May 07, 2023 4:26 pm

hello its long story its very important for to let at least 1 opened port can u help me ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DDOS attack need help

Sun May 07, 2023 4:27 pm

hello its long story its very important for to let at least 1 opened port can u help me ?
I already gave you the correct answer.
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Sun May 07, 2023 4:33 pm

can i see u in private im really confused and this ddos attack will make me heart attack soon :(
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DDOS attack need help

Sun May 07, 2023 4:38 pm

can i see u in private im really confused and this ddos attack will make me heart attack soon :(
Isn't it clear to you that only and exclusively your ISP can do something?
Whatever you do, however, is completely useless.
(Aside from shutting down all internet services you provide, which attract attacks)
 
AntiUltimate
just joined
Posts: 10
Joined: Tue Sep 11, 2018 9:25 pm

Re: DDOS attack need help

Sun May 07, 2023 4:42 pm

What are the symptoms of the so called "DDoS attack" and how did you realize it was one?
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Sun May 07, 2023 4:44 pm

i have a application on linux server who use 1 port one guy send me a flood attack when i start using it after only 5..10 mins the router crash
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DDOS attack need help

Sun May 07, 2023 4:49 pm

i have many ddos attacks
Is not exactly the same thing....

If you don't explain yourself well, how do you expect to have correct help?

One person flood your connection. This is "many DDoS attacks"?

Drop on /firewall raw prerouting his IP.
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Sun May 07, 2023 4:58 pm

il newbee on security i buy this mikrotik to secure trafic from my local server to my remote vps ( ovh vps ) in way to let traffic only from a specific ip to specific ip and all all other trafic will be blocked
Last edited by aldo142 on Sun May 07, 2023 5:02 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DDOS attack need help

Sun May 07, 2023 5:01 pm

 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Sun May 07, 2023 5:29 pm

still confused if we can make a direct contact will be good pls !
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DDOS attack need help

Sun May 07, 2023 5:43 pm

still confused if we can make a direct contact will be good pls !
https://mikrotik.com/consultants
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DDOS attack need help

Sun May 07, 2023 5:55 pm

1. Provide a detailed network diagram
2. Post complete config
/export file=anynameyouwish {prior to posting here, remove router serial#, public WANIP information and any keys}

@rextended, whenever you post make habit of checking mail :-)
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: DDOS attack need help

Sun May 07, 2023 7:01 pm

looks like was not so urgent after all
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Sun May 07, 2023 7:14 pm

1. Provide a detailed network diagram
2. Post complete config
/export file=anynameyouwish {prior to posting here, remove router serial#, public WANIP information and any keys}

@rextended, whenever you post make habit of checking mail :-)

1- network diagram
ubuntu server with cccam server with 1 port opened 9011 the local network conect to vps
this attached config , what i want is to close all incoming trafic and all outgoing trafic only will use 9011 to conect to specific vps ip

# may/07/2023 17:09:37 by RouterOS 7.2
# software id = N19D-NGAV
#
# model = RouterBOARD 750G r3
# serial number = 
/interface bridge
add admin-mac=64:D1:54:A0:C8:01 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=GUA24328442
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="serveur cccam11" dst-port=9011 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.251
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Africa/Algiers
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by BartoszP on Sun May 07, 2023 9:26 pm, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code - keep forum tidy
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Sun May 07, 2023 7:32 pm

the first aproch is to close all all incoming trafic and all outgoing trafic then i will open and manage desired port
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: DDOS attack need help

Sun May 07, 2023 7:50 pm

Unfortunately, Mikrotik ROS has no ability to stop DDOS attacks. If it's important, you simply have to supplement or replace it with another solution. However, for other common questions regarding firewall settings, you might get good help from folks in this thread.

For tips and suggestions regarding DDOS protection, Google for example "firewalls that protects against ddos attacks".
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Sun May 07, 2023 8:59 pm

u can see attached the SYN flood
You do not have the required permissions to view the files attached to this post.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: DDOS attack need help

Sun May 07, 2023 9:04 pm

if 154.54.220.138 traffic is not relevant or important to you drop it
/ip firewall raw
add action=drop chain=prerouting src-address=154.54.220.138
lowering tcp timeout can help
/ip firewall connection tracking 
set tcp-established-timeout=16m
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Sun May 07, 2023 10:15 pm

154.54.220.138 PORT 9011 is important can i make in white list and drop all other traffic throw 9011 from another ip's ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DDOS attack need help

Mon May 08, 2023 12:12 am

Does everyone understand now why I want zerotrust cloudflare as an options package for devices, (not even part of stock RoS like wireguard).
No need to expose public IP and worry about this sheite.

HEY MICROTIK WAKE UP!!!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: DDOS attack need help

Mon May 08, 2023 12:16 am

154.54.220.138 PORT 9011 is important can i make in white list and drop all other traffic throw 9011 from another ip's ?
Well, if my link partner started to SYN flood me, I'd block it anyways ... and tgen I'd have a serious talk with admin of link partner. The thing is: if link partner runs software, which can use random source port, what exactly prevents that software to hijack the all important port?
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Mon May 08, 2023 1:36 am

154.54.220.138 PORT 9011 is important can i make in white list and drop all other traffic throw 9011 from another ip's ?
Well, if my link partner started to SYN flood me, I'd block it anyways ... and tgen I'd have a serious talk with admin of link partner. The thing is: if link partner runs software, which can use random source port, what exactly prevents that software to hijack the all important port?
u are right but now i must found solution because its not easy to block him with only a simple call !! so i need help
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DDOS attack need help

Mon May 08, 2023 2:16 am

But you can know what the hell are you writing?
Want to stop the synflood of a moron you know but at the same time have to allow him to continue?
For me you're making fun of us all or you're stoned.
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Mon May 08, 2023 2:38 am

But you can know what the hell are you writing?
Want to stop the synflood of a moron you know but at the same time have to allow him to continue?
For me you're making fun of us all or you're stoned.
i think u dont understand what i mean !! its sure i need stop this sys flood throw mikrotik if there is other solution tel me !
 
aldo142
just joined
Topic Author
Posts: 14
Joined: Fri Jan 28, 2022 1:56 pm

Re: DDOS attack need help

Mon May 08, 2023 2:41 am

154.54.220.138 PORT 9011 is important can i make in white list and drop all other traffic throw 9011 from another ip's ?
Well, if my link partner started to SYN flood me, I'd block it anyways ... and tgen I'd have a serious talk with admin of link partner. The thing is: if link partner runs software, which can use random source port, what exactly prevents that software to hijack the all important port?

lets block the attack then i will try to have a serious talk with her isp or vps reseler
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: DDOS attack need help

Mon May 08, 2023 9:29 am

Please don't count on it too much as an ISP normally has non at all or very limited ability to protect you from DDOS attacks. To make a real difference you probably need to take other measures like cloudflare and similar solutions.

Meanwhile and to mitigate the whole thing as a temporary solution you might put the attackers in a block list. Anav and Extended can show you how.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: DDOS attack need help

Mon May 08, 2023 11:04 am

lets block the attack then i will try to have a serious talk with her isp or vps reseler

@chechito in post #20 above already showed you how to drop all traffic from the "criminal" ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DDOS attack need help

Mon May 08, 2023 2:20 pm

Add a source address list to the port forwarding rule.
All users need to provide you with their static public IP
OR
All users need to provide you with their DYNDNS URL and the MT will resolve it.

This will at least reduce visibility and access to those allowed. I have no clue what anybody means by link partner.
In terms of eliminating or cutting out the problem, I believe the Columbian knows of what he speaks.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: DDOS attack need help

Tue May 09, 2023 9:36 pm

@aldo142
You can setup IP firewall with SYN/DoS/DDoS protection by following this guide: https://help.mikrotik.com/docs/pages/vi ... d=28606504.
This works against non spoofed/randomized source IP addresses, I have similar setup, BUT when attacker uses random source IP addresses in packet it will fill your blocked IP's address list and it will eventually result out of memory on ROS (this means DoS is still present for ROS). For this purpose it will be better to have MAC address lists in ROS (which ROS don't have), blocking by MAC address will be more effective for these kind of attacks.

You can test attack with hping3, eg:
Non randomized source IP flood:
~ root# hping3 -c 15000 -d 120 -S -w 64 -p <TCP_PORT> --flood <ROUTER_IP>
Randomized source IP flood:
~ root# hping3 -c 15000 -d 120 -S -w 64 -p <TCP_PORT> --flood --rand-source <ROUTER_IP>
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: DDOS attack need help

Tue May 09, 2023 9:58 pm

For this purpose it will be better to have MAC address lists in ROS (which ROS don't have), blocking by MAC address will be more effective for these kind of attacks.

A nice thought, but the MAC address will unfortunately not travel along with the attacker's IP packets. In other words, you will more or less only see MAC addresses of your ISP's default gateways. Botnet attacks that utilize their full power generally only target high-priority prey, thus a regular blocklist is sufficient for the normal consumer and will not crash RoS if it becomes full.

FWIW, intrusion to gather classified/important information are far more common when targeting POI working at home.
Last edited by Larsa on Tue May 09, 2023 10:17 pm, edited 4 times in total.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: DDOS attack need help

Tue May 09, 2023 10:01 pm

Thus, a blocklist is sufficient for the normal consumer and will not crash the RoS if it becomes full.
There is a limit for address list size in ROS?
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: DDOS attack need help

Tue May 09, 2023 10:04 pm

Yes, storage and ram may impose a limit depending on your model.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: DDOS attack need help

Tue May 09, 2023 10:11 pm

Yes, storage and ram may impose a limit depending on your model.
Good to know, I guess I have enough RAM on my device, when I tested this with random IP, I had hundreds of IP's in list, didn't crash but I had to reboot to clean that up...

EDIT: I remember now which list caused out of memory crash while ago - DNS server static entries, I had huge list generated by some script... I was by mistake thought it was address lists, that's why I mentioned it as potential DoS attack vector against ROS.
Last edited by optio on Tue May 09, 2023 10:29 pm, edited 2 times in total.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: DDOS attack need help

Tue May 09, 2023 10:20 pm

I've used several hundreds of thousands without problems. However, it may take some time to load and delete them thus that amount of entries might be better suited in a dedicated firewall for that particular purpose.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DDOS attack need help

Tue May 09, 2023 11:12 pm

All avoidable if we do not have to expose public IPs..................... drumrollllllllllll ................ zerotrust cloudflare tunnel as an options package for all devices.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: DDOS attack need help

Tue May 09, 2023 11:22 pm

Yeah, such a solution would fit perfectly in this case!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DDOS attack need help

Tue May 09, 2023 11:31 pm

In most every case where a home user has servers of one ilk or another!

Who is online

Users browsing this forum: No registered users and 29 guests