I have CRS109-8G-1S-2HnD-IN router and faced a problem in form of incoming UDP flood.
My firewall looks liek this
Code: Select all
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=77.221.152.122 list=ddos-attackers
add address=192.168.1.60 list=ddos-targets
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
"drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos src-address=192.168.1.0/24
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=none-static chain=detect-ddos log=yes log-prefix=\
detect-ddos
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=none-static chain=detect-ddos
add action=jump chain=forward jump-target=detect-udp-flood protocol=udp
add action=return chain=detect-udp-flood src-address=192.168.1.0/24
add action=return chain=detect-udp-flood dst-limit=\
64,64,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=flood-targets chain=\
detect-udp-flood
add action=add-src-to-address-list address-list=flood-attackers chain=\
detect-udp-flood log=yes log-prefix=detect-udp-flood
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input src-address=192.168.1.0/24
add action=accept chain=input in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" disabled=yes \
in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" disabled=yes in-interface=\
ether1 port=22 protocol=tcp
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=2302-2306,3301-3399 in-interface=\
ether1 protocol=udp to-addresses=192.168.1.60
add action=dst-nat chain=dstnat dst-port=2302-2306,3301-3399 in-interface=\
ether1 protocol=tcp to-addresses=192.168.1.60
add action=dst-nat chain=dstnat dst-port=3300 in-interface=ether1 protocol=\
tcp to-addresses=192.168.1.60 to-ports=3389
add action=dst-nat chain=dstnat dst-port=80,443 in-interface=ether1 protocol=\
tcp to-addresses=192.168.1.62
/ip firewall raw
add action=drop chain=prerouting src-address-list=ddos-attackers
add action=drop chain=prerouting src-address-list=flood-attackers
add action=drop chain=prerouting dst-port=3389 protocol=tcp
Code: Select all
ip/firewall/filter> ../connection/print
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED; F - FASTTRACK; s - SRCNAT; d - DSTNAT
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT, ORIG-RATE, REPL-RATE, ORIG-PACKETS, REPL-PACKETS, ORIG-BYTES, REPL-BYTES
# PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS ORIG-BYTES REPL-BYTES
46 C udp 45.142.212.194:48620 xxx.xxx.xxx.xxx:2302 9s 21.4Mbps 0bps 378 463 185 0 25 107 503 969 0
What I want to achieve is to block every UDP connection sending over N UDP packets/sec and probably blocking UDP connections without S (reply-seen) flag in connection list is also a good idea but I don't know how to do it.
And another problem is profiling output:
Code: Select all
NAME USAGE
ethernet 11%
ntp 0%
console 1%
ssh 0.5%
firewall 28.5%
networking 34%
management 3%
routing 4.5%
profiling 2%
bridging 1%
unclassified 7%
total 92.5%
Any help is much much appreciated!