Community discussions

MikroTik App
 
PortalNET
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Mikrotik DDOS ICMP with SSDP amplification

Mon Sep 12, 2022 3:15 am

Hi guys

some ISP using mikrotik are getting attacked with DDOS with SSDP... some peaks of 50gbps, any ideas on how to mitigate this?? the Upstream provider is having some dificulties also...

below some pics of traffic packet sniffer during the attack whilst all CPU cores on 1036 and 1072 jam at 100% usage..

we see thousands of spoof ips doing the attack... SSDP port 1900 is closed on Ip firewall raw.. on src and dst.. udp and tcp..

Image and Image
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik DDOS ICMP with SSDP amplification

Mon Sep 12, 2022 2:20 pm

What is the output of /ip firewall raw print and /ip firewall raw print stats. If the requests are properly dropped, RouterOS should not be sending any ICMP packets back.
 
PortalNET
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Re: Mikrotik DDOS ICMP with SSDP amplification

Mon Sep 12, 2022 4:01 pm

What is the output of /ip firewall raw print and /ip firewall raw print stats. If the requests are properly dropped, RouterOS should not be sending any ICMP packets back.

Hi

attached pic of IP firewall RAW.. Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik DDOS ICMP with SSDP amplification

Mon Sep 12, 2022 4:16 pm

What is attracting the attacks....... specific servers??
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik DDOS ICMP with SSDP amplification

Mon Sep 12, 2022 4:25 pm

Since you've got a common rule for multiple ports, it is not possible to say whether it counts the SSDP packets or the other ones. Create separate rules (TCP, UDP) with dst-port=1900 alone and place it before the common one.

But that's only for analysis, otherwise it should work the way you've set it up - unless some match condition is set in the rule(s) that is not shown in this table view. That's the reason why I've asked for an output from text console where all match conditions are always visible.
 
PortalNET
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Re: Mikrotik DDOS ICMP with SSDP amplification

Tue Sep 13, 2022 2:11 am

What is attracting the attacks....... specific servers??
well they are attacking full ASN IPs.. all blocks /24 being attacked with thousands of spoofed ips.. with random ports ICMP packages with lenghts 161 and 70bytes.. with that ssdp inside.
Last edited by PortalNET on Tue Sep 13, 2022 2:53 am, edited 1 time in total.
 
PortalNET
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Re: Mikrotik DDOS ICMP with SSDP amplification

Tue Sep 13, 2022 2:34 am

Since you've got a common rule for multiple ports, it is not possible to say whether it counts the SSDP packets or the other ones. Create separate rules (TCP, UDP) with dst-port=1900 alone and place it before the common one.

But that's only for analysis, otherwise it should work the way you've set it up - unless some match condition is set in the rule(s) that is not shown in this table view. That's the reason why I've asked for an output from text console where all match conditions are always visible.

Hi guess the problem is the amplification of the attacks are hammering somewhat on 50gbps on the interface.. i guess no 10gbps sfp+ interface on the mikrotik will handle this kind of ddos attack.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: Mikrotik DDOS ICMP with SSDP amplification

Tue Sep 13, 2022 2:40 am

Nothing you can do if your pipe is smaller than the attack bandwidth. Has to be mitigated upstream.
 
PortalNET
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Re: Mikrotik DDOS ICMP with SSDP amplification

Tue Sep 13, 2022 2:54 am

Nothing you can do if your pipe is smaller than the attack bandwidth. Has to be mitigated upstream.
Yes indeed.. upstream provider is having dificulties.. aparently Wanguard is not being able to mitigate it aparently.


wondering if CCR2216 with 100G uplink port.. would be able to soften the hammering.. but atm is quite an expensive test.. just to test ddos mitigation

Who is online

Users browsing this forum: No registered users and 66 guests