Community discussions

MikroTik App
 
LeftyTs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

DDoS detection and blocking

Tue Oct 06, 2020 10:11 pm

According to this https://wiki.mikrotik.com/wiki/DDoS_Det ... d_Blocking the expire time has a bug so 10s is actually 1s. Can anyone please through some light if this is still the case? What is the expire value needed for in any case? I am trying to set a rule to drop and black list all udp traffic if over 6 packets per 8 seconds per IP but the expire value is a little confusing.

Is this the right way to do it?
dst-limit=6/8s,6,src-and-dst-addresses/80s
Thank you
 
User avatar
karlisi
Member
Member
Posts: 437
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: DDoS detection and blocking

Wed Oct 07, 2020 9:42 am

That article is almost 10 years old, please use current version
https://help.mikrotik.com/docs/display/ ... Protection
 
LeftyTs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: DDoS detection and blocking

Wed Oct 07, 2020 10:00 am

Even the newer version does not explain what the expire value is for and why would you want to use a 10s expire time for 32 packets/1s time frame. It still uses 10s without explaining why the expire value should be as such.

So the question remains, how do I drop and blacklist any traffic above 6 packets per 8 seconds? What would be the correct expire value for it and why?
 
User avatar
jprietove
Trainer
Trainer
Posts: 212
Joined: Fri Jun 03, 2016 3:00 pm
Location: Cádiz, Spain
Contact:

Re: DDoS detection and blocking  [SOLVED]

Wed Oct 07, 2020 10:35 am

So the question remains, how do I drop and blacklist any traffic above 6 packets per 8 seconds? What would be the correct expire value for it and why?

The answer can be found on https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter:

dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: )

Matches packets until a given rate is exceeded. Rate is defined as packets per time interval. As opposed to the limit matcher, every flow has it's own limit. Flow is defined by mode parameter. Parameters are written in following format: count[/time],burst,mode[/expire].
  • count - packet count per time interval per flow to match
  • time - specifies the time interval in which the packet count per flow cannot be exceeded (optional, 1s will be used if not specified)
  • burst - initial number of packets per flow to match: this number gets recharged by one every time/count, up to this number
  • mode - this parameter specifies what unique fields define flow (src-address, dst-address, src-and-dst-address, dst-address-and-port, addresses-and-dst-port)
  • expire - specifies interval after which flow with no packets will be allowed to be deleted (optional)

Dropping traffic above 6 packets per 8 seconds means: dst-limit=6/8s

I think your doubt is about expire time. Maybe it is easier to understand with an example. Suppose that you receive this number of packets for a flow. Depending on expire time is 2s or 10s, the calculated rate is different.
Time  #Packets    Rate (expire=2s)      Rate (expire=10s)
   0        1               1p/s                    1p/s
   1        3               2p/s                    2p/s
   2        0               2p/s                  1,3p/s
   3        0               2p/s                    1p/s
   4       21              21p/s                    5p/s
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: DDoS detection and blocking

Wed Oct 07, 2020 12:19 pm

UDP source addresses are trivially spoofed, using rules like this you turn a volumetric DDoS into a computational DDoS as your connection tables fill up and crash the router.

There are no magic rules to fix DDoS. If your bandwidth is lower than the incoming traffic then by the time it hits your router it is too late to do anything about it, your link is already saturated.
 
LeftyTs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: DDoS detection and blocking

Wed Oct 07, 2020 1:00 pm

Yes jprietove, that is exactly the answer I was looking for. The expire value does not seem to be well documented. Thank you for the example

R1CH, there is no crash here my friend so no worries, What you are saying is already well known and not the issue here but thanks anyways! ;)
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1139
Joined: Tue Oct 11, 2005 4:53 pm

Re: DDoS detection and blocking

Wed Oct 07, 2020 1:53 pm

R1CH, there is no crash here my friend so no worries, What you are saying is already well known and not the issue here but thanks anyways! ;)
Wait until you get a SYN Flood DDoS and watch your MikroTik (doesn't matter which model or how much bandwidth you have) become totally unresponsive.
 
LeftyTs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Thu Nov 03, 2016 2:39 am
Location: Athens, Greece
Contact:

Re: DDoS detection and blocking

Wed Oct 07, 2020 2:33 pm

R1CH, there is no crash here my friend so no worries, What you are saying is already well known and not the issue here but thanks anyways! ;)
Wait until you get a SYN Flood DDoS and watch your MikroTik (doesn't matter which model or how much bandwidth you have) become totally unresponsive.
I already have about 19000 IPs so far ;)
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: DDoS detection and blocking

Thu Oct 08, 2020 12:05 am

R1CH, there is no crash here my friend so no worries, What you are saying is already well known and not the issue here but thanks anyways! ;)
Wait until you get a SYN Flood DDoS and watch your MikroTik (doesn't matter which model or how much bandwidth you have) become totally unresponsive.
There's protection against SYN Flood too.

https://help.mikrotik.com/docs/display/ ... -SYNAttack
 
PackElend
Member Candidate
Member Candidate
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: DDoS detection and blocking

Fri Jun 09, 2023 4:08 pm

Dropping traffic above 6 packets per 8 seconds means: dst-limit=6/8s

I think your doubt is about expire time. Maybe it is easier to understand with an example. Suppose that you receive this number of packets for a flow. Depending on expire time is 2s or 10s, the calculated rate is different.
Time  #Packets    Rate (expire=2s)      Rate (expire=10s)
   0        1               1p/s                    1p/s
   1        3               2p/s                    2p/s
   2        0               2p/s                  1,3p/s
   3        0               2p/s                    1p/s
   4       21              21p/s                    5p/s
thx for your effort. Unfortunately, I'm still having difficulties in understanding how to calculate it.
Can you share how you did the maths?

Who is online

Users browsing this forum: Ahrefs [Bot], BoraHorza, GoogleOther [Bot], sinisa, tuiespacecorp and 88 guests