Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Default firewall Rules in ROS vs DDOS attack

Tue Jan 24, 2023 9:51 am

Hello For all Mikrotik friends here..!!
So i see alot of videos out there from a Mikrotik Certified Trainer or other high level Mikrotik people that talking about DDOS Mitigation, and they apply rules different from the preexist default rules on Mikrotik RouterOS, so NOW my question is does that mean that the default firewall rules in mikrotik is not enough, and we have to add another rules..? or we have to replace it..?
well one of my Mikroitk user friends tell me that when you increase the firewall rules, you increase vulnerability not security..!
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Default firewall Rules in ROS vs DDOS attack

Tue Jan 24, 2023 9:56 am

DDOS Mitigation won't help most users (ISP can/should help in this case).

The number of rules will increase complexity. As long as you know what you do (and what every rules reason for being is) you won't make it vurnerable.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Default firewall Rules in ROS vs DDOS attack

Tue Jan 24, 2023 9:58 am

If you think that there is a problem with them then show what makes you fear?
Study the dafault configruation line by line.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default firewall Rules in ROS vs DDOS attack

Tue Jan 24, 2023 2:47 pm

... my question is does that mean that the default firewall rules in mikrotik is not enough, and we have to add another rules..? or we have to replace it..?

Default firewall (where it exists, high-end devices come without one) is pretty secure, it defaults to (weirdly implemented) drop everything else concept (which is the secure way to do it). However, since default firewall setup relies on connection tracking doing its job, it is also quite resource demanding. In normal situation one can not really live without connection tracking (NAT requires it), so for normal operation this is not a problem.

But: DDoS hits connection tracking pretty hard because router is flooded with packets all claiming a new connection. And thus router "dies". So DDoS mitigation is needed. On SOHO router one can add RAW firewall rules which will drop incoming packets, part of DDoS attack, before hitting connection tracking machinery. The remaining issue is consumption of uplink bandwidth ... and that can only be solved upstream (i.e. on ISP's routers/firewalls).

And yes, your friend is right: if one starts to mess with default firewall setup and he's not up to the task (ROS learning curve is pretty steep from beginning), then chances of f***g up something are pretty high.

Who is online

Users browsing this forum: Amazon [Bot], anav, kub1x, tuckerdog, VinceKalloe and 86 guests