Community discussions

MikroTik App
 
Luri
just joined
Topic Author
Posts: 7
Joined: Tue Jun 07, 2016 8:20 pm

IP streser atack prevent

Thu Mar 26, 2020 8:55 pm

Hello, im trying to stop an atac thet it seams an DDoS atac but not at all. It is an ip streser that uses protocol udp and udpmix, ex this website https://www.stressthem.to/.

Is there any way to prevent , bacuse if small ISP that dont have inough bandwith,it goes down. ive tryed a lot of firewall filter rules,but none efective.
 
msatter
Forum Guru
Forum Guru
Posts: 1459
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: IP streser atack prevent

Thu Mar 26, 2020 9:28 pm

I not expert on this.

Best is blocking in RAW and you need to use filter, new connection to fill the blocking IP address table for usage in RAW.

This way your connection table stays cleaner and stays working.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.47.beta.x / Winbox 3.21 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
Luri
just joined
Topic Author
Posts: 7
Joined: Tue Jun 07, 2016 8:20 pm

Re: IP streser atack prevent

Fri Mar 27, 2020 1:04 pm

Ive tryed this blocking method,but not any result.
The problem is that this kind of streser cant be tracked and it uses a lot of diferent ip that make requests onany port that atacker can put on it. Ive atached an img of dashboard where it can be the atack.
You do not have the required permissions to view the files attached to this post.
 
msatter
Forum Guru
Forum Guru
Posts: 1459
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: IP streser atack prevent

Fri Mar 27, 2020 1:35 pm

Are you attacking yourself?!

These are UDP snd like Covid-19 you have take drastic measures.

Don't look what what you want block. Look what you want to allow and block the rest of the UDP ports in RAW. That is the best you can do.

You have normal DNS responses that need and you know which IP should be answering. Allow that address and block the other DNS returns that are fake.

Example in raw for using DNS server from Google.
accept src-addres 8.8.8.8 and 8.8.4.4 on src-port 53
drop src-port 53

If the source address is also spoofed you have switch a less popular DNS server.

etc.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.47.beta.x / Winbox 3.21 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 288
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: IP streser atack prevent

Fri Mar 27, 2020 1:51 pm

thy this
add chain=input protocol=udp in-interface=ether1 connection-state=!established,related action=drop
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE | MTCWE
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 109
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: IP streser atack prevent

Fri Mar 27, 2020 2:24 pm

But even if you block, the packet has traveled across your link and thus consuming bandwidth.
It might be not much, but still some bytes...
In order to safeguard this, you really need support from "upstream" , so the ISP that is providing you services!
You have enough bandwidth to support your downstream customers ? Or are you suffering at this level ?
 
msatter
Forum Guru
Forum Guru
Posts: 1459
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: IP streser atack prevent

Fri Mar 27, 2020 3:17 pm

thy this
add chain=input protocol=udp in-interface=ether1 connection-state=!established,related action=drop
To use that then you are using connections which is most expenceive, in processor time.

If you put that in filter then use it to add the source IP address to an address list which is used in RAW to block that IP address for all kinds of traffic.

USE RAW TO BLOCK! avoiding so to use connections.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.47.beta.x / Winbox 3.21 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 288
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: IP streser atack prevent

Fri Mar 27, 2020 4:38 pm

thy this
add chain=input protocol=udp in-interface=ether1 connection-state=!established,related action=drop
To use that then you are using connections which is most expenceive, in processor time.

If you put that in filter then use it to add the source IP address to an address list which is used in RAW to block that IP address for all kinds of traffic.

USE RAW TO BLOCK! avoiding so to use connections.

Yes this is an option but as attacked use fake IP addresses that will make you to deny connection so some servers that you really need!
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE | MTCWE
 
msatter
Forum Guru
Forum Guru
Posts: 1459
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: IP streser atack prevent

Fri Mar 27, 2020 5:41 pm

Yes this is an option but as attacked use fake IP addresses that will make you to deny connection so some servers that you really need!
When you are using also IKEv2 connection then those can be made notrack in RAW and so are caught by the rule (UDP 4500). To avoid that the box by untracked has to be ticked too.
add action=drop chain=input comment="Block all that is not statefull, related or notrack" connection-state=!established,related in-interface-list=WAN log=yes log-prefix=filterdrop
I block all traffic coming in through the WAN. Traffic like TCP 25/80/443 is still welcome but I have a route in Mangle for that so that then being tracked. That traffic is checked already in RAW on this router before rooted to the next router.
Last edited by msatter on Fri Mar 27, 2020 6:21 pm, edited 1 time in total.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.47.beta.x / Winbox 3.21 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1603
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: IP streser atack prevent

Fri Mar 27, 2020 5:53 pm

Best choice is to use RAW Firewall on those cases as previously mentioned, since RAW is in the Prerouting Chain, so even before the Input Chain...
Firewall RAW table allows to selectively bypass or drop packets before connection tracking that way significantly reducing load on CPU. Tool is very useful for DOS attack mitigation.

RAW table does not have matchers that depend on connection tracking ( like connection-state, layer7 etc.).
If packet is marked to bypass connection tracking packet de-fragmentation will not occur.

Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw

Also the packet Flow Diagram: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
 
msatter
Forum Guru
Forum Guru
Posts: 1459
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: IP streser atack prevent

Fri Mar 27, 2020 6:09 pm

Indeed but you first have to be able to know what is real and what is not. If you can afford to drop all UDP traffic in RAW for a while then that is the best way.

A time ago I had a slow attack on port 80 (SYNC) and it went on for a long time form server parks. I decided to look at IP addresses and noticed that the were in ranges so I wrote a script to have whole ranges blocked automatically depending if several addresses from that range connected to me.

viewtopic.php?f=2&t=152953
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.47.beta.x / Winbox 3.21 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
Luri
just joined
Topic Author
Posts: 7
Joined: Tue Jun 07, 2016 8:20 pm

Re: IP streser atack prevent

Fri Mar 27, 2020 10:49 pm

IVE TRYED EVERYTHING, any body can try it.
While the flood starts,i blocked every packet of udp , i disabled the dst ip and still it continues.
Im so confused,.
 
msatter
Forum Guru
Forum Guru
Posts: 1459
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: IP streser atack prevent

Sat Mar 28, 2020 1:21 am

Disabling your destination IP that is new for me. However your ISP is still forwarding to that IP of you so that would create also problems.

If it is UDP and you blocked that in RAW as high as possible in your RAW lines (/ip firewall raw) then there nothing more that you can do. Then you have to find an other solution.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.47.beta.x / Winbox 3.21 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 109
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: IP streser atack prevent

Sat Mar 28, 2020 12:31 pm

You really need to talk to your UPSTREAM provider too! They still route those requests to you, so consuming bandwidth on the link.
Offcourse DDOS-protection through your upstream, IF they offer such thing, is not cheap.

In the company I work for we have an Arbor powered solution that we operate for ourselves and out customers (national ISP) and we can take a beating ;-)

Who is online

Users browsing this forum: Bing [Bot], veadshot and 173 guests