Community discussions

MikroTik App
 
dineshplp
newbie
Topic Author
Posts: 30
Joined: Wed Jan 09, 2008 7:09 am

DDos on wan

Fri Jan 28, 2022 6:49 pm

Hi,

For the past few days, we say huge incoming traffic on our wan port. Figured out some random IPs from trying to connect to port 80 of some random lan IP. Lan IP is not configured anywhere. We saw 100% CPU load so added a raw filter to drop such connections. Now CPU sits normal but wan port 100% used.

One such connection

prerouting: in:vlan1018-Airtel-ILL out:(unknown 0), src-mac c2:bf:a7:96:fe:35, proto UDP, 5.104.160.88:53->LanpublicIP:80, prio 3->0, len 1476
Added blackhole route too but it's not helping. No service is running on LAN side on port 80.

Adding ruled to ip firewall filter is not lowering the CPU.

Any suggestions on mitigation the issue?
Last edited by dineshplp on Fri Jan 28, 2022 7:28 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 8814
Joined: Mon Dec 04, 2017 9:19 pm

Re: DDos on wan

Fri Jan 28, 2022 7:03 pm

What do you expect to hear in response? If the DDoS exhausts the bandwidth of the WAN, there's nothing you can do against that at your end. You have to ask the upstream ISP to block the source, or at least block traffic to port 80 on your LAN subnet.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
dineshplp
newbie
Topic Author
Posts: 30
Joined: Wed Jan 09, 2008 7:09 am

Re: DDos on wan

Fri Jan 28, 2022 7:10 pm

What do you expect to hear in response? If the DDoS exhausts the bandwidth of the WAN, there's nothing you can do against that at your end. You have to ask the upstream ISP to block the source, or at least block traffic to port 80 on your LAN subnet.
Well, you could have given the suggestion without using the first sentence. Anyhow thanks.
 
sindy
Forum Guru
Forum Guru
Posts: 8814
Joined: Mon Dec 04, 2017 9:19 pm

Re: DDos on wan

Fri Jan 28, 2022 7:13 pm

you could have given the suggestion without using the first sentence. Anyhow thanks.
The first sentence was there because there was no question in the OP, so it looked more like just a statement.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
dineshplp
newbie
Topic Author
Posts: 30
Joined: Wed Jan 09, 2008 7:09 am

Re: DDos on wan

Fri Jan 28, 2022 7:28 pm

you could have given the suggestion without using the first sentence. Anyhow thanks.
The first sentence was there because there was no question in the OP, so it looked more like just a statement.
Added the quesiton.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11720
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DDos on wan

Fri Jan 28, 2022 8:54 pm

Do you have any ports open currently, or should I say setup on Dst NAT rules etc...
and if so are they open ended or are they limited by source address list?

What is attracting attention??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
dineshplp
newbie
Topic Author
Posts: 30
Joined: Wed Jan 09, 2008 7:09 am

Re: DDos on wan

Sat Jan 29, 2022 7:24 am

Do you have any ports open currently, or should I say setup on Dst NAT rules etc...
and if so are they open ended or are they limited by source address list?

What is attracting attention??
So we have x.y.z.104/29 subnet. .105/29 is LAN IP and the rest of the IPs are being used to src NAT. x.y.z.107 was receiving too many packets on port 80. This IP is not even configured anywhere, just being used to do Src NAT.
prerouting: in:vlan1018-WAN-ILL out:(unknown 0), src-mac c2:bf:a7:96:fe:35, proto UDP, 5.104.160.88:53->X.Y.Z.107:80, prio 3->0, len 1476
port 80 is not open anywhere.
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: DDos on wan

Sat Jan 29, 2022 9:42 am

Hmm..UDP source port 53 ? IS this consistent that UDP/source-port 53 is used ?
You might consider to drop this ? (in raw) and then see if you can still allow incoming DNS from some legit upstream resolvers.
Are you ISP yourself running public DNS-servers ?

But in general the action for these volumetric attacks is often to contact the upstream ISP and get some support.

Our customers, when they purchase internet circuits from us, can choose to have DDoS "on their line"
We have the infrastructure embedded in our network to handle this "on ingress" and we can take a beating of many hundreds og Gbits/sec
 
dineshplp
newbie
Topic Author
Posts: 30
Joined: Wed Jan 09, 2008 7:09 am

Re: DDos on wan

Mon Jan 31, 2022 8:12 am

Hmm..UDP source port 53 ? IS this consistent that UDP/source-port 53 is used ?
You might consider to drop this ? (in raw) and then see if you can still allow incoming DNS from some legit upstream resolvers.
Are you ISP yourself running public DNS-servers ?

But in general the action for these volumetric attacks is often to contact the upstream ISP and get some support.

Our customers, when they purchase internet circuits from us, can choose to have DDoS "on their line"
We have the infrastructure embedded in our network to handle this "on ingress" and we can take a beating of many hundreds og Gbits/sec
Yes UDP source port 53 is consistent. We are dropping this in raw. We are ISP but not running Public DNS. We spoke to our upstream provider and they offered a service where they will help mitigate Ddos.

Who is online

Users browsing this forum: acte28, Google [Bot], Semrush [Bot], xr1s, Zacharias and 37 guests