Is this the right way to do it?
Code: Select all
dst-limit=6/8s,6,src-and-dst-addresses/80s
dst-limit=6/8s,6,src-and-dst-addresses/80s
So the question remains, how do I drop and blacklist any traffic above 6 packets per 8 seconds? What would be the correct expire value for it and why?
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: )
Matches packets until a given rate is exceeded. Rate is defined as packets per time interval. As opposed to the limit matcher, every flow has it's own limit. Flow is defined by mode parameter. Parameters are written in following format: count[/time],burst,mode[/expire].
- count - packet count per time interval per flow to match
- time - specifies the time interval in which the packet count per flow cannot be exceeded (optional, 1s will be used if not specified)
- burst - initial number of packets per flow to match: this number gets recharged by one every time/count, up to this number
- mode - this parameter specifies what unique fields define flow (src-address, dst-address, src-and-dst-address, dst-address-and-port, addresses-and-dst-port)
- expire - specifies interval after which flow with no packets will be allowed to be deleted (optional)
Time #Packets Rate (expire=2s) Rate (expire=10s)
0 1 1p/s 1p/s
1 3 2p/s 2p/s
2 0 2p/s 1,3p/s
3 0 2p/s 1p/s
4 21 21p/s 5p/s
Wait until you get a SYN Flood DDoS and watch your MikroTik (doesn't matter which model or how much bandwidth you have) become totally unresponsive.R1CH, there is no crash here my friend so no worries, What you are saying is already well known and not the issue here but thanks anyways! ;)
I already have about 19000 IPs so far ;)Wait until you get a SYN Flood DDoS and watch your MikroTik (doesn't matter which model or how much bandwidth you have) become totally unresponsive.R1CH, there is no crash here my friend so no worries, What you are saying is already well known and not the issue here but thanks anyways! ;)
There's protection against SYN Flood too.Wait until you get a SYN Flood DDoS and watch your MikroTik (doesn't matter which model or how much bandwidth you have) become totally unresponsive.R1CH, there is no crash here my friend so no worries, What you are saying is already well known and not the issue here but thanks anyways! ;)
thx for your effort. Unfortunately, I'm still having difficulties in understanding how to calculate it.Dropping traffic above 6 packets per 8 seconds means: dst-limit=6/8s
I think your doubt is about expire time. Maybe it is easier to understand with an example. Suppose that you receive this number of packets for a flow. Depending on expire time is 2s or 10s, the calculated rate is different.
Code: Select allTime #Packets Rate (expire=2s) Rate (expire=10s) 0 1 1p/s 1p/s 1 3 2p/s 2p/s 2 0 2p/s 1,3p/s 3 0 2p/s 1p/s 4 21 21p/s 5p/s