Community discussions

MikroTik App
 
Mauhur
just joined
Topic Author
Posts: 1
Joined: Fri Apr 22, 2022 4:22 pm

UDP Flood problem

Fri Apr 22, 2022 4:43 pm

Hello,
I have CRS109-8G-1S-2HnD-IN router and faced a problem in form of incoming UDP flood.
My firewall looks liek this
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=77.221.152.122 list=ddos-attackers
add address=192.168.1.60 list=ddos-targets
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos src-address=192.168.1.0/24
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=none-static chain=detect-ddos log=yes log-prefix=\
    detect-ddos
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=none-static chain=detect-ddos
add action=jump chain=forward jump-target=detect-udp-flood protocol=udp
add action=return chain=detect-udp-flood src-address=192.168.1.0/24
add action=return chain=detect-udp-flood dst-limit=\
    64,64,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=flood-targets chain=\
    detect-udp-flood
add action=add-src-to-address-list address-list=flood-attackers chain=\
    detect-udp-flood log=yes log-prefix=detect-udp-flood
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input src-address=192.168.1.0/24
add action=accept chain=input in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" disabled=yes \
    in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" disabled=yes in-interface=\
    ether1 port=22 protocol=tcp
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=2302-2306,3301-3399 in-interface=\
    ether1 protocol=udp to-addresses=192.168.1.60
add action=dst-nat chain=dstnat dst-port=2302-2306,3301-3399 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.1.60
add action=dst-nat chain=dstnat dst-port=3300 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.60 to-ports=3389
add action=dst-nat chain=dstnat dst-port=80,443 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.62
/ip firewall raw
add action=drop chain=prerouting src-address-list=ddos-attackers
add action=drop chain=prerouting src-address-list=flood-attackers
add action=drop chain=prerouting dst-port=3389 protocol=tcp
This configuration detects and bans huge bursts which I send from external server via hping -2 --faster ... but currently I have one host that is just constantly sending UPD flood from a single src port and not being banned.
ip/firewall/filter> ../connection/print
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED; F - FASTTRACK; s - SRCNAT; d - DSTNAT
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT, ORIG-RATE, REPL-RATE, ORIG-PACKETS, REPL-PACKETS, ORIG-BYTES, REPL-BYTES
 #        PROTOCOL  SRC-ADDRESS            DST-ADDRESS            TCP-STATE    TIMEOUT    ORIG-RATE  REPL-RATE  ORIG-PACKETS  REPL-PACKETS      ORIG-BYTES  REPL-BYTES
46   C    udp       45.142.212.194:48620   xxx.xxx.xxx.xxx:2302                   9s         21.4Mbps   0bps        378 463 185             0  25 107 503 969           0
I suppose mikrotik treats that connection as established (stream) and just fasttrack but putting established,related=>accept rule to the bottom of /ip/firewall/forward looks like a performance hit to me.
What I want to achieve is to block every UDP connection sending over N UDP packets/sec and probably blocking UDP connections without S (reply-seen) flag in connection list is also a good idea but I don't know how to do it.

And another problem is profiling output:
NAME          USAGE
ethernet      11%  
ntp           0%   
console       1%   
ssh           0.5% 
firewall      28.5%
networking    34%  
management    3%   
routing       4.5% 
profiling     2%   
bridging      1%   
unclassified  7%   
total         92.5%
Router consumes too much CPU, 92.5%. This makes me think that UDP packets are not fasttracked.

Any help is much much appreciated!

Who is online

Users browsing this forum: No registered users and 49 guests