Community discussions

MikroTik App
 
texmeshtexas
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Sat Oct 11, 2008 11:17 pm

Protection agains Frag attacks

Fri Nov 26, 2021 5:56 pm

The other night our CCR1072 running 6.48.5 was brought to its knees by UDP Fragmentation DDoS attack.
Fragmented packets where large byte packets but not sure that matters as far as the work the router has to do to reconstruct packets. Other than memory use.
Got that mitigate but now I working on a RAW rule to limit the rate of frag attacks.

The trick is to find the right balance between protection and allow of valid fragmented traffic.
This router sees peak evening traffic of about 4-4.5Gbps.
Over the last couple of days, the following rules see 6.5M fragmented packets and dropped 46K of them that exceed the 300/sec limit

add action=accept chain=prerouting comment="Experimental Fragmented traffic li\
mit rule for DDoS protection. 300/sec to dst. Addr. " dst-limit=300,300,dst-address/1m fragment=yes log-prefix=\
"Frag Traffic" tcp-flags=""
add action=drop chain=prerouting comment="Fragmented traffic over limit" \
fragment=yes log-prefix="Frag Traffic excess" tcp-flags=""

Does anyone have a better way of dealing with Frag attacks?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Protection agains Frag attacks

Fri Nov 26, 2021 9:13 pm

Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet
The first fragment is let through and will sit in connection tracking for a set period = reduce period it will sit in connection tracking.

The only mark you can set in RAW is notrack. If you can even mark the first packet it won't end up in connection tracking and saving 30% cpu time. But then dropping is better on SRC address or on port.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Protection agains Frag attacks

Fri Nov 26, 2021 10:35 pm

How come I never see any of this so called attack traffic ??
It must be my block all else rule at the end of input and forward chains......... thats right I am not a believer.....
Vaccines yes, anything else not so much. If you dont have open ports, then sleep easy.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Protection agains Frag attacks

Fri Nov 26, 2021 10:44 pm

How come I never see any of this so called attack traffic ??
Rule "drop all else" can be hardly applied to ISP's edge router / firewall.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: Protection agains Frag attacks

Sat Nov 27, 2021 1:59 am

Why are you not dropping everything on your WAN interface? If they are targeting a client behind NAT, then that client would have to have initiated the connection in order for the router to forward fragments. If you're using a routed setup then just drop all fragments at the edge, there's no good reason for fragmented traffic on the internet.
 
Dripke
just joined
Posts: 3
Joined: Mon Aug 16, 2021 6:13 pm

Re: Protection agains Frag attacks

Sun Nov 28, 2021 5:17 pm

Limiting the amount of traffic should help deter such attacks. I have attended several conferences with experts on this topic. I also create conference flyers myself to share this knowledge. You also need to use filters in the form of IP blacklists. This is not a guarantee of 100% protection, but it will provide basic protection against DDoS attacks.
 
texmeshtexas
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Sat Oct 11, 2008 11:17 pm

Re: Protection agains Frag attacks

Wed Dec 01, 2021 11:11 pm

How come I never see any of this so called attack traffic ??
It must be my block all else rule at the end of input and forward chains......... thats right I am not a believer.....
Vaccines yes, anything else not so much. If you dont have open ports, then sleep easy.
Cant block fragmented packets in normal filter rules as the router is busy trying to reconstruct the packet.
Only RAW filter even matches on IP Frag option.
 
texmeshtexas
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Sat Oct 11, 2008 11:17 pm

Re: Protection agains Frag attacks

Wed Dec 01, 2021 11:19 pm

Limiting the amount of traffic should help deter such attacks. I have attended several conferences with experts on this topic. I also create conference flyers myself to share this knowledge. You also need to use filters in the form of IP blacklists. This is not a guarantee of 100% protection, but it will provide basic protection against DDoS attacks.
I do like to add the src address to a list and drop it. Do that for many other blocklist protection. However, I'll be adding to my blacklist for and hour at a time.
 
texmeshtexas
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Sat Oct 11, 2008 11:17 pm

Re: Protection agains Frag attacks

Wed Dec 01, 2021 11:21 pm

Why are you not dropping everything on your WAN interface? If they are targeting a client behind NAT, then that client would have to have initiated the connection in order for the router to forward fragments. If you're using a routed setup then just drop all fragments at the edge, there's no good reason for fragmented traffic on the internet.
The targets are not behind a NAT but because the MT router is busy trying to reconstruct the fragmented packet before forwarding, it gets all bogged down and the CPU goes to 100%. Even on a CCR1072!!

Who is online

Users browsing this forum: Guntis, mogiretony, voytecky and 97 guests