Fri Jun 30, 2023 6:31 pm
As mentioned by others, there are two key fundementals of DDoS.
1) Bandwith (Available vs Attack).
2) Filtering.
When you understand these two concepts you can see clearly what the solutions are, which are not brand specific. First lets understand the types of attacks and what the goal of the attacker is in each case.
Types of Attacks:
1) Volumetric
This one is simple, it is a flood style attack where the goal of the attacker is to send as many packets to the target from as many sources as possible to consume all available bandwidth. This attack has nothing to do with services you are hosting or firewall rules you employ (as the target). These need to be resolved at the edges of the network.
2) Protocol
Here the attacker is using features of the protocol to either cause hangs, consume connection resources or amplify attacks against the target. This is more about packet processing than bandwidth but the two aren't mutually exclusive in this situation. You can have a high pps and high bandwidth attack, you can also have a high pps and low bandwidth attack. In this case when it is not combined with a bandwidth or volumetric style attack, carefully ordered firewall rules and other protocol attack preventions like syn-cookies can prevent or help mitigate the effect of these attacks.
3) Application Layer
In this case the attacker is exploiting some service you are hosting (file server, web server, etc) or they are abusing your poorly coded website and consuming all your resources just to deliver the index page of your website by calling a large number of GET requests etc. These are the easiest attacks to mitigate and that can be accomplished either by firewall rules or by recoding your website or patching your hosted service etc.
Solutions:
1) To successfully and completely mitigate a volumetric attack you need bandwidth (lots of it, think Tbps capacity) and you need multiple routes to redirect flows through. You as a typical end-consumer, have only one route to your router and therefore if every truck from India goes on that road there is no chance that even a dirtbike is getting through. So how does it get solved? Well network providers can re-route traffic flows based on their many routes and peering connections, this allows them to distribute the load not to overwhelm any single edge router. Doing this in combination with likely AI enabled traffic pattern recognition algorithms they can intelligently update all edge routers across their entire network to drop packets from "bad actors" before they even enter the network and therefore protecting whatever the target (maybe you) is on their network. More specifically imagine if you are able to prevent the truck from even leaving each individual warehouse in India, then you have already solved the volume problem before it becomes a problem, the trucks never reach the road and never gain power in volume. In short, the issue is not Mikrotik or any other brand, your bandwidth and peering routes will dictate if you have any options to mitigate volumetric attacks.
For volumetric attacks that are under your bandwidth availability then yes you as the end-consumer can mitigate those (it will consume CPU and will depend on the CPU power of your router). But by using methods listed on this forum like address blocking, dropping entire CIDR ranges that you know are bad or the reverse approach of white listing only certain IPs are all viable solutions.
2) Protocol attacks depend on the protocol, for ICMP just block ICMP (obviously this may have unintended consequences), for NTP don't be a potential victim or bot by opening those servers to the public, for TCP-SYN use SYN cookies. In general typical protocol attacks can be blocked by properly using the firewall and most importantly not exposing services to the public or doing so in a way that limits the attack surface (like VPN). Keep in mind that combining a protocol attack with volume can still be an issue if you have low bandwidth.
3) Application attacks are the easiest to prevent. Don't open services to the public without proper patching, whitelisting or blacklisting of ip ranges based on geo-location or other clear cases that should never occur and most importantly proper application design don't code crappy things that consume 10% of your server compute to respond to 1 request.