Community discussions

MikroTik App
 
blackmetal
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Mon Aug 16, 2010 9:01 am

question about no track action in raw firewall rules

Sat Dec 01, 2018 10:01 pm

Hello,
i have a ccr 1036 8g 2s+ and in some cases that my users receive ddos attacks (for example too many new connections or around 500k udp) i should add a rule in ip firewall raw with drop action so that packets does not go through connection tracking table (my connection tracking in my mikrotik is off) and drop and my cpu loads in this case will reduce and back to normal.
so in this case my question is can i use no track action instead drop ? in this case again my cpu load will be normal but traffic go towards user? because while i am under attack for example i receive 80k new connection and because my connection tracking is off in my mikrotik i can not limit new connections. so the only way is play with raw filter rules to keep cpu usages normal.

THank you.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: question about no track action in raw firewall rules

Sat Dec 01, 2018 10:28 pm

Notrack won't help because connction tracking is already disabled by you.

viewtopic.php?f=2&t=114664&p=599785&hil ... os#p605976
 
blackmetal
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Mon Aug 16, 2010 9:01 am

Re: question about no track action in raw firewall rules

Sun Dec 02, 2018 7:07 am

is there anyway like no track except drop ?
because most of my users have teamspeak server and while they are undder attack i am drop udp 9987 towards their network so i want the dirty packets does not trigger mikrotik connection traccking and prevent cpu usages.
whats the other way except black hole ips and drop ports.
thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: question about no track action in raw firewall rules

Sun Dec 02, 2018 2:11 pm

I'm not sure what you want to achieve.

By dropping the packet already using an /ip firewall raw rule, such dropped packet will never reach the connection-tracking phase so it won't generate the CPU load associated to connection tracking. If you just label it as no-track instead of dropping it, it will bypass connection tracking but will get further in the network stack, so you'll have to drop it later anyway.

If, instead, the idea is that all packets coming in via WAN towards UDP port 9987 should be delivered to the destination device as that device itself has to decide which ones are OK and which ones are not, then yes, you can label them with no-track in /ip firewall raw but in that case you also have to add another rule, saying that also whatever goes from that device's UDP port 9987 anywhere is labelled with no-track, otherwise the LAN->WAN packets would create the connection in the connection tracker.
 
blackmetal
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Mon Aug 16, 2010 9:01 am

Re: question about no track action in raw firewall rules

Sun Dec 02, 2018 2:25 pm

I'm not sure what you want to achieve.

By dropping the packet already using an /ip firewall raw rule, such dropped packet will never reach the connection-tracking phase so it won't generate the CPU load associated to connection tracking. If you just label it as no-track instead of dropping it, it will bypass connection tracking but will get further in the network stack, so you'll have to drop it later anyway.

If, instead, the idea is that all packets coming in via WAN towards UDP port 9987 should be delivered to the destination device as that device itself has to decide which ones are OK and which ones are not, then yes, you can label them with no-track in /ip firewall raw but in that case you also have to add another rule, saying that also whatever goes from that device's UDP port 9987 anywhere is labelled with no-track, otherwise the LAN->WAN packets would create the connection in the connection tracker.

understood , in this way that i mark them as no track then do i have cpu loads or not?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: question about no track action in raw firewall rules

Sun Dec 02, 2018 2:27 pm

If you're going to "lift the gates" when under load, then you can do it all the time as well...
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: question about no track action in raw firewall rules

Sun Dec 02, 2018 2:38 pm

By marking them notrack you convey the handling to an other device or an other part of the router. I use notrack for IPSEC because IPSEC can handle itself the connections.

Any traffic, even if dropped, will still use CPU power but not as much as connection tracking would take and terminate it then.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: question about no track action in raw firewall rules

Sun Dec 02, 2018 3:20 pm

The connection tracking has to match each packet it is given against the whole list of connections it has in its memory table, which can have thousands of rows. There is some optimisation of the search, yet it does load the CPU. However, having a pair of individual manual rules for each of the connections which are normally tracked would be even more resource consuming as there is no way to optimise. So what you do is that you take one kind of connections, those to/from port 9987, which you suppose to be responsible for most of the load, and handle them using two raw rules, while you let the rest be handled by connection tracking. So you lower the load by simplifying the handling. On the other hand, fasttracking of connections makes the throughput on normal connections several times faster as compared to handling them normally, while it depends on connection tracking to be active for these connections, so the optimisation of packet matching to existing connections in the connection tracker must be damned efficient. And labelling the packets with no-track only excludes them from connection tracking but not from the other stages of firewall and routing processing, so I'm afraid that if you let them get through without connection-tracking, you won't save as much CPU as you expect.
 
blackmetal
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Mon Aug 16, 2010 9:01 am

Re: question about no track action in raw firewall rules

Sun Dec 02, 2018 4:18 pm

see for example when i receive 500k packets for a user on udp port 9987 my cpu load is aroun %80 then i block that ports in ip firewal -> raw filter then my cpu load will be %0 with same amount of data.
right now whats your suggestions instead drop them for this? use no track / use fast track ? i want pass this traffic to my users device without make my router noisy and busy
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: question about no track action in raw firewall rules

Sun Dec 02, 2018 4:54 pm

You still haven't clarified whether you want the device listening at 9987 to get also the DDoS traffic or whether you want Mikrotik to stop the DDoS traffic and only let through the "legal" one.

Dropping the traffic right at /ip firewall raw causes the least load to the CPU, as neither connection tracking nor the other layers of the firewall have to deal with it.

Fasttracking a DDoS traffic makes little sense as the DDoS packets don't actually establish useful connections so you'd get the disadvantage of connection tracking but you wouldn't benefit from its advantages.

Letting the DDoS traffic through to the device without connection tracking means that the rest of the firewall will have to process it, thus causing CPU load.

So I would be all for dropping the DDoS traffic using the /ip firewall raw rule, however you have to use an address list to distinguish between DDoS sources and legal sources. So the matching of the raw rule becomes more CPU-intensive (matching the source address to a list of mutually unrelated addresses needs more CPU than matching only a destination port to a single value), and you have to populate that address list somehow. If you could manually list permitted sources, you'd be good, but it is probably not an option. So you have to make the address list a black one (i.e. matching packets will be dropped) and either make the target device send some special packet back to the address of the DDoS source and add the destination of that special packet to the address list, or to run a script every second to list connections to 9987 which got no response from the destination device and add their source addresses to the blacklist. However, this is efficient only if many connection attempts come from the same IP address; if it is a "well-done" DDoS where each connection attempt comes from a different address, there is nothing really efficient you could do.
 
blackmetal
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Mon Aug 16, 2010 9:01 am

Re: question about no track action in raw firewall rules

Sun Dec 02, 2018 6:30 pm

i do not want protect customers from ddos attacks and its not important for traffic arrives at customer services the only things is prevent router from high cpu usages.
so if i use ip frewall raw rules with no track and fast track connection in filter rules , do i get high cpu usages?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: question about no track action in raw firewall rules

Sun Dec 02, 2018 7:20 pm

You cannot use notrack and fasttrack for the same traffic, that's a nonsense, fasttracking needs connection tracking to work. Or maybe it is not such a nonsense but there is currently no way to use a raw rule to say "accept matching packets and let them bypass the rest of the firewall" which is what fasttracking actually does for connection-tracked packets for which there is a fasttrack flag in their connection data.

So if you notrack some traffic in both directions and let it go through using /ip firewall filter chain=forward action=accept connection-state=established,related,untracked, you may get some improvement, but I cannot promise on how significant it will be. It's not only that the DDoS traffic itself will not be handled by connection tracking but also that there will be less rows (connections) in the connection tracking table for the other traffic to match against because the DDoS traffic won't create these rows.
 
changeip
Forum Guru
Forum Guru
Posts: 3829
Joined: Fri May 28, 2004 5:22 pm

Re: question about no track action in raw firewall rules

Wed Nov 30, 2022 4:17 am

think of it this way. a 10G port will full up with DDOS traffic pretty easily. The Mikrotik will pass that 10G no problem with almost no CPU --- as long as conn-track isnt involved. Once conn-track is on it kills the router and theres no way it will keep up. He's basically asking why can a mikrotik route 10G but not conn-track 10G.

Who is online

Users browsing this forum: archemist, SMARTNETTT, tangent and 67 guests