Community discussions

 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

DDoS story, or WARNING: use 'conection-limit' with caution!

Tue Aug 30, 2011 12:05 pm

Sunday and Monday were horrible days...

It was the first time our network became the source of DDoS attack. TechSupport woke me up at about 13:00 - users were complaining about very slow Internet access with high packet drop rate. Guess what I did first? Yes, after a few minutes I rebooted the router :) And guess what? After reboot, the picture stayed the same. Even pinging router's address (or 127.0.0.1) from the router itself was showing 200-500ms RTT with 50% of timeouts.

After about fifteen minutes of searching and trying I identified that the reason was my firewall filter fules for limiting the number of simultaneous TCP connections per user: they were showing high rate of dropped packets, and when I was disabling them, router was becoming stable again.

It appeared that some kind of virus or botnet on customers' computers was attacking single IP address (some Lineage II game server) by creating huge number of HTTP requests to the host (when I blocked any packets to that server, filter rule was dropping about 4000 new connections per second). So, when 'connection-limit' matcher was trying to count active user's connections a few thousand times per second, it was killing the router completely.

In Monday, attacked IP addresses changed, so this horror returned back :) After a dozen of minutes I came to this solution:
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
It dynamically creates two address lists: attackers ('ddoser') and attacked hosts ('ddosed'), and blocks packets from the former to the latter. Works like a charm =)

Hope this will help somebody to protect his routers from flooding...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
MRMISSY
newbie
Posts: 45
Joined: Sun Mar 07, 2010 3:26 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Tue Aug 30, 2011 12:37 pm

that is nice
thanks for sheering
 
User avatar
MCT
Member Candidate
Member Candidate
Posts: 157
Joined: Wed Mar 03, 2010 5:53 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Tue Aug 30, 2011 5:53 pm

+1 for a detection based solution rather than just blocking ports.
 
mh76bih
just joined
Posts: 5
Joined: Sat Dec 24, 2011 12:57 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Dec 24, 2011 1:11 am

hi, i have same problem.,but those scripts des not help me.
all day i have problem from one ip have attack on whole subnet 512 ip addresses.
any idea how to resolve this problem.
attack comming from 50006 port tcp protocol
thanks
You do not have the required permissions to view the files attached to this post.
 
User avatar
MCT
Member Candidate
Member Candidate
Posts: 157
Joined: Wed Mar 03, 2010 5:53 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Dec 24, 2011 9:27 am

You shouldn't bump really old threads, it's considered bad forum etiquette.

That aside since all of your issues are from a single address simply create a rule to drop all traffic from that IP.

I looked up the source IP in a security database and it's a frequent offender for attacking networks. I always prefer a detection based solution but in your situation I'd block that IP at the edge of my network.
 
mh76bih
just joined
Posts: 5
Joined: Sat Dec 24, 2011 12:57 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Dec 24, 2011 9:46 am

now its happen again, any solutions, pls
 
User avatar
MCT
Member Candidate
Member Candidate
Posts: 157
Joined: Wed Mar 03, 2010 5:53 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Dec 24, 2011 10:14 am

No one will be able to help unless you post detailed information about the traffic. The most helpful thing would be to do a packet capture of the traffic and post it.

If the attack address shifted then the alternate approach would be to create a queue rule to throttle the traffic down to a trickle. Most automated attack tools won't shift if the connections are still open.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Dec 24, 2011 3:00 pm

select 'Protocol' and 'Port', there's not so much info to help you. what port of 115.238.184.5 is attacked?

are you dropping invalid connections in firewall filter?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
mh76bih
just joined
Posts: 5
Joined: Sat Dec 24, 2011 12:57 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Dec 24, 2011 7:05 pm

protocol is tcp source ip :115.238.184.5, source port 50006
when that happen i have traffic allmost on all public ip in subnet /23 around 360kbps per ip
and upload on my network is 90-150Mbps.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Dec 24, 2011 8:27 pm

so the traffic is from 109.175.20.0/24 to 115.238.184.5:50006 - what are those addresses? is there some service at 115.238.184.5:50006?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
mh76bih
just joined
Posts: 5
Joined: Sat Dec 24, 2011 12:57 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sun Dec 25, 2011 1:53 am

109.175.20.0/23 is my network, attack comming from 115.238.184.5 port 50006 protcol tcp
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Mon Dec 26, 2011 2:27 pm

according to your screenshot, it's your network who attacks 115.238.184.5:50006 (without any response, btw)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
dingsingo
Member Candidate
Member Candidate
Posts: 100
Joined: Sun Jul 24, 2005 9:47 pm
Location: Germany

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Mon Dec 26, 2011 3:25 pm

@Chupaka


++1

THx's
 
User avatar
THG
Member
Member
Posts: 472
Joined: Thu Oct 15, 2009 1:05 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Mon Dec 26, 2011 5:53 pm

The Tech Support woke you up at 13:00, so cruel indeed! :shock:

Anyway, thanks for sharing your experience with us, Chupaka!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Mon Dec 26, 2011 11:34 pm

The Tech Support woke you up at 13:00, so cruel indeed! :shock:
well, maybe better English version would be "at 13:00 a.m." :D
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
spektrumzx
just joined
Posts: 13
Joined: Tue Nov 16, 2010 8:17 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sun Jan 22, 2012 10:53 am

I tested those setting and I get between 2000-5000 addresses in list as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,

Sunday and Monday were horrible days...

It was the first time our network became the source of DDoS attack. TechSupport woke me up at about 13:00 - users were complaining about very slow Internet access with high packet drop rate. Guess what I did first? Yes, after a few minutes I rebooted the router :) And guess what? After reboot, the picture stayed the same. Even pinging router's address (or 127.0.0.1) from the router itself was showing 200-500ms RTT with 50% of timeouts.

After about fifteen minutes of searching and trying I identified that the reason was my firewall filter fules for limiting the number of simultaneous TCP connections per user: they were showing high rate of dropped packets, and when I was disabling them, router was becoming stable again.

It appeared that some kind of virus or botnet on customers' computers was attacking single IP address (some Lineage II game server) by creating huge number of HTTP requests to the host (when I blocked any packets to that server, filter rule was dropping about 4000 new connections per second). So, when 'connection-limit' matcher was trying to count active user's connections a few thousand times per second, it was killing the router completely.

In Monday, attacked IP addresses changed, so this horror returned back :) After a dozen of minutes I came to this solution:
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
It dynamically creates two address lists: attackers ('ddoser') and attacked hosts ('ddosed'), and blocks packets from the former to the latter. Works like a charm =)

Hope this will help somebody to protect his routers from flooding...
 
User avatar
omidkosari
Trainer
Trainer
Posts: 616
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sun Jan 22, 2012 6:39 pm

Thanks for sharing your knowledge and experience .
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
spektrumzx
just joined
Posts: 13
Joined: Tue Nov 16, 2010 8:17 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Mon Jan 23, 2012 10:25 pm

I tested those settings and I get between 2000-5000 addresses in lists as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Fri Jan 27, 2012 11:55 am

I tested those settings and I get between 2000-5000 addresses in lists as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,
is everything else working normally? are 'ddoser's your addresses, or some Internet ones?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
spektrumzx
just joined
Posts: 13
Joined: Tue Nov 16, 2010 8:17 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Fri Jan 27, 2012 1:58 pm

I tested those settings and I get between 2000-5000 addresses in lists as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,
is everything else working normally? are 'ddoser's your addresses, or some Internet ones?
I hope that I have good feedback so everything else looks fine. Right now I have about 540 PPPoE connection and 1600 ddoser's in list all some internet addresses except two of them that my.
Also I have a rule before this, with limit the number of tcp connections on 150 per user.
 
User avatar
guilhermeramires
Trainer
Trainer
Posts: 56
Joined: Fri Jan 22, 2010 9:06 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Tue Apr 24, 2012 7:54 pm

I tested those settings and I get between 2000-5000 addresses in lists as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,
Probably you have some nat mascared rules in the LAN. So all ip address come from only one host natted. The solution is you
route your LAN and remove the NATs rules, ok?

Regards.
Mikrotik Training Partner
MPLS for the Masses
 
angboontiong
Forum Guru
Forum Guru
Posts: 1115
Joined: Fri Jan 16, 2009 9:59 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Fri Jun 22, 2012 3:28 pm

Dear Chupaka...
This cannot put in the Wireless link which before the EOIP...

else, it will drop the EOIP connection as we found today...
seem we should put another access rules in front of this to allow the peer EOIP ip address to skip on this check...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Fri Jun 22, 2012 10:54 pm

seem we should put another access rules in front of this to allow the peer EOIP ip address to skip on this check...
yep, check this: http://wiki.mikrotik.com/wiki/DDoS_Dete ... d_Blocking
there I added a note about exceptions
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Dobby
Member
Member
Posts: 400
Joined: Wed Jan 11, 2012 12:07 am
Location: Hogwarts

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Jun 23, 2012 12:26 am

Deleted because not related.
Last edited by Dobby on Mon Mar 11, 2013 3:34 am, edited 2 times in total.
 
spire2z
Long time Member
Long time Member
Posts: 517
Joined: Mon Feb 14, 2005 2:48 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Jun 23, 2012 5:03 am

One way to not be woken by tech support is to never sleep!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Jun 23, 2012 2:37 pm

Dobby, the rules above will not match against the behaviour you described. actually, they detect DoS, so each game server will be examined separately. moreover, game server won't generate dozens of packets on initial connection :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Dobby
Member
Member
Posts: 400
Joined: Wed Jan 11, 2012 12:07 am
Location: Hogwarts

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Jun 23, 2012 3:18 pm

Deleted because not related.
Last edited by Dobby on Mon Mar 11, 2013 3:35 am, edited 2 times in total.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Jun 23, 2012 7:49 pm

thanks for sharing your concern, but in my example I use 'forward' chain - there all addresses are de-NAT-ted, and router knows, which client should receive the packet - there's no 'address of the router' already

main problem I faced is 'bad' websites which block HTTP keep-alive connections, and for opening one page with many small pictures user creates about 30-60 TCP connections... but blocking such sites should be avoided by using 'burst' in 'dst-limit' matcher

p.s. no, at endpoint we use customers' PCs - we are Ethernet provider :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Kiken
newbie
Posts: 28
Joined: Mon Jul 30, 2012 10:11 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Fri Aug 10, 2012 4:59 pm

Hi man, i've just added this rule to my MK Router:

/ip firewall filter

add chain=forward connection-state=new action=jump jump-target=block-ddos

and its showing as invalid, any ideas on what should be wrong??
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Mon Aug 13, 2012 3:53 pm

it's because your 'block-ddos' chain is empty. add another rules - and everything will be okay
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
daived
just joined
Posts: 9
Joined: Fri Apr 05, 2013 2:51 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Mon Jan 13, 2014 12:46 am

Hi, sorry for this post, the topic is very old, but:
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m disabled=yes
What router will write in this list? My local ip what is ddosed now? If i currently have only one active IP, i need this rule?
So for me its working like 'ddoser' are blocked from 'ddosed' IP, this need only if i have many IPS, but if only one?
Thanks!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Mon Jan 13, 2014 3:07 am

daived, if you re-read the first post, you can see that 'ddosed' addresses can be not only your local users, but remote hosts (when some botnet is running on your customers' PCs). also, router's addresses won't be detected, as that traffic is in 'input' chain of firewall, and my rules catch 'forward' traffic
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
NumLock
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Mon Jun 16, 2008 3:38 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Feb 19, 2014 3:28 pm

This help a lot to prevent attackers eat my bandwidth fist attack was 100mbps on icmp and UDP (17) and hang my MK.
The rule works properly but after few hours to deploy customer was unable to browse or access to the internet I just add in-interface=ether1 (My ether1 is the wan interface) and problem solve my question is:

Is this is right to add the input interface?
Here is my complete rule:

/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new \
disabled=no jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no \
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new \
disabled=no dst-address-list=ddosed in-interface=ether1 src-address-list=\
ddoser
Last edited by NumLock on Wed Feb 19, 2014 9:25 pm, edited 1 time in total.
 
plisken
Forum Guru
Forum Guru
Posts: 2425
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Feb 19, 2014 6:46 pm

Thanks Chupaca it is a usefull solution.
Karma +1
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Feb 19, 2014 9:57 pm

NumLock, you'd better add in-interface= matcher to the first rule. in your implementation, it blocks only incoming packets, but detects (D)DoS in both directions - probably, unnecessary additional work
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
NumLock
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Mon Jun 16, 2008 3:38 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Feb 19, 2014 10:19 pm

Like this: ?

/ip firewall filter

add action=jump chain=forward comment=Detect-Ddos connection-state=new \
disabled=no in-interface=ether1 jump-target=detect-ddos


add action=return chain=detect-ddos comment=Detect-Ddos disabled=no \
dst-limit=32,32,src-and-dst-addresses/10s

add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no

add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no

add action=drop chain=forward comment=Detect-Ddos connection-state=new \
disabled=no dst-address-list=ddosed in-interface=ether1 src-address-list=\
ddoser
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Feb 19, 2014 10:26 pm

yep, and remove in-interface=ether1 from the last rule
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
NumLock
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Mon Jun 16, 2008 3:38 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Fri Feb 21, 2014 5:46 pm

Thanks this help a lot. Over 20,000 IP has been ban. Last configuration work so far so good:

/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new \
disabled=no in-interface=ether1 jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no \
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new \
disabled=no dst-address-list=ddosed src-address-list=ddoser
 
NumLock
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Mon Jun 16, 2008 3:38 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Tue Feb 25, 2014 6:55 pm

/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new \
disabled=no in-interface=ether1 jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no \
dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos comment=DOS-Exceptions disabled=no \
src-address-list=DOS-Exceptions

add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new \
disabled=no dst-address-list=ddosed src-address-list=ddoser

With this rule in blue I can make exceptions?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Feb 26, 2014 3:15 pm

yes, but you'd better place it as a second rule, not third, so that router doesn't need to check limits for the traffic that will never be added as a 'ddoser' :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
NumLock
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Mon Jun 16, 2008 3:38 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Feb 26, 2014 3:31 pm

Is there way to make the rule less sensitive? Yesterday I browse on my web server and my Firefox hangs and retry to many times and I flag as a ddoser.

Thanks!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Feb 26, 2014 4:04 pm

dst-limit=32,32 is what you're looking for. try to change it to dst-limit=32,256 for higher burst
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
dorijan
Member Candidate
Member Candidate
Posts: 244
Joined: Fri Jun 04, 2004 12:42 am
Location: Croatia

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Mar 29, 2014 4:39 pm

sorry to hijack your post, can you give us some details about size of that attack(bandwidth) and what router(s) did you have? PC or appliance...
thank you...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Apr 02, 2014 5:55 pm

PC routers, different attacks - sometimes upto 200 Mbps is blocked from customers to the internet :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
juanvi
Member Candidate
Member Candidate
Posts: 164
Joined: Mon May 05, 2014 6:55 pm
Location: SPAIN

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Tue Jun 24, 2014 3:05 pm

Is this suitable for INPUT chain. Has any sense? I think the router can be the objetive too.
Sunday and Monday were horrible days...

It was the first time our network became the source of DDoS attack. TechSupport woke me up at about 13:00 - users were complaining about very slow Internet access with high packet drop rate. Guess what I did first? Yes, after a few minutes I rebooted the router :) And guess what? After reboot, the picture stayed the same. Even pinging router's address (or 127.0.0.1) from the router itself was showing 200-500ms RTT with 50% of timeouts.

After about fifteen minutes of searching and trying I identified that the reason was my firewall filter fules for limiting the number of simultaneous TCP connections per user: they were showing high rate of dropped packets, and when I was disabling them, router was becoming stable again.

It appeared that some kind of virus or botnet on customers' computers was attacking single IP address (some Lineage II game server) by creating huge number of HTTP requests to the host (when I blocked any packets to that server, filter rule was dropping about 4000 new connections per second). So, when 'connection-limit' matcher was trying to count active user's connections a few thousand times per second, it was killing the router completely.

In Monday, attacked IP addresses changed, so this horror returned back :) After a dozen of minutes I came to this solution:
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
It dynamically creates two address lists: attackers ('ddoser') and attacked hosts ('ddosed'), and blocks packets from the former to the latter. Works like a charm =)

Hope this will help somebody to protect his routers from flooding...
¡vʞvdnX puv ···SOɹǝʇnoɹ ʞıʇoɹʞıW oʇ sʞuvHʇ
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Jun 25, 2014 11:43 am

if you block forwarded traffic - you stop its propagation across the router.

if you block input - traffic is already here, it won't go further, so you don't decrease network load :)

that's why you simply need to protect the router from accessing by unauthorized users (my means of management subnet or something)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
juanvi
Member Candidate
Member Candidate
Posts: 164
Joined: Mon May 05, 2014 6:55 pm
Location: SPAIN

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Thu Jun 26, 2014 4:53 pm

But your rules are blocking the tcp syn flood attacks to the router too if input chain is objective???
if you block forwarded traffic - you stop its propagation across the router.

if you block input - traffic is already here, it won't go further, so you don't decrease network load :)

that's why you simply need to protect the router from accessing by unauthorized users (my means of management subnet or something)
¡vʞvdnX puv ···SOɹǝʇnoɹ ʞıʇoɹʞıW oʇ sʞuvHʇ
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Thu Jun 26, 2014 7:00 pm

kind of. but for router itself I'd rather do much more strict rules. and enable TCP SYN Cookies :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
dadaniel
Member Candidate
Member Candidate
Posts: 158
Joined: Fri May 14, 2010 11:51 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Fri Jun 27, 2014 10:54 am

Is it somehow possible to make these rules more efficient? Currently every new connection is counted, jumped into new chain and there again counted and if below the threshold returned to forwarding chain...
 
User avatar
juanvi
Member Candidate
Member Candidate
Posts: 164
Joined: Mon May 05, 2014 6:55 pm
Location: SPAIN

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Fri Jun 27, 2014 11:17 am

I've tried SYN cookies enabled attacking a Basebox2 directly with a tcp syn flood attack and the results in cpu resoruces where 10-15% higher compared with this rule woithout SYN cookies. I'll block the same attack sanving that ammount of cpu:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
action=drop comment="" disabled=no
At this point I have that previous rule, yours and limitting the connections per user twice.
It seems excessive. ¿Can you tune up my setup? Have in mid this is a hotspot and must be secures for the use is intended for. We dont want massive connections from an IP and want maximal security from attacks to and throug the router. We have seen this hardware with cpu +90% without users and only with a synflood attack.

Thanks in advance for your replies master. You are being very helpful for us.
[juanvi@HotSpot1] /ip firewall> export
# jun/27/2014 08:05:59 by RouterOS 6.15
# software id = EJJG-9K3N
#
/ip firewall filter
add action=jump chain=input comment=\
    "SYN Flood protect - http://wiki.mikrotik.com/wiki/DoS_attack_protection" \
    connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags=\
    syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=\
    syn
add action=jump chain=input comment="CONTROL BIDIRECCIONAL DE SOLICITUDES MASIVA\
    S - DDOS http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking - http://\
    forum.mikrotik.com/viewtopic.php\?f=2&t=54607" connection-state=new \
    jump-target=block-ddos-input
add action=return chain=block-ddos-input dst-limit=\
    50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed-input \
    address-list-timeout=10m chain=block-ddos-input
add action=add-src-to-address-list address-list=ddoser-input \
    address-list-timeout=10m chain=block-ddos-input
add action=drop chain=input connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
add action=jump chain=forward comment="CONTROL BIDIRECCIONAL DE SOLICITUDES MASI\
    VAS - DDOS http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking - http:\
    //forum.mikrotik.com/viewtopic.php\?f=2&t=54607" connection-state=new \
    jump-target=block-ddos
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m \
    chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m \
    chain=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=input comment=\
    "LIMITE DE CONEXIONES POR IP - DDOS" connection-limit=75,32 protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp \
    src-address-list=blocked-addr
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=forward comment=\
    "LIMITE DE CONEXIONES POR IP - DDOS" connection-limit=75,32 protocol=tcp
add action=tarpit chain=forward connection-limit=3,32 protocol=tcp \
    src-address-list=blocked-addr
add chain=input comment="GENERAL - PERMITE CONEXIONES ESTABLECIDAS" \
    connection-state=established
add chain=input comment="PERMITE CONEXIONES RELACIONADAS" connection-state=\
    related
add action=drop chain=input comment="DROP CONEXIONES INVALIDAS" \
    connection-state=invalid
add chain=forward comment="GENERAL - PERMITE CONEXIONES ESTABLECIDAS" \
    connection-state=established
add chain=forward comment="PERMITE CONEXIONES RELACIONADAS" connection-state=\
    related
add action=drop chain=forward comment="DROP CONEXIONES INVALIDAS" \
    connection-state=invalid
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24 to-addresses=0.0.0.0
¡vʞvdnX puv ···SOɹǝʇnoɹ ʞıʇoɹʞıW oʇ sʞuvHʇ
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Fri Jun 27, 2014 11:45 am

juanvi, do you really need 'connection-limit' in that case? I don't think the limit of 75 connections is actually doing something valuable...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
tombee79
Member Candidate
Member Candidate
Posts: 247
Joined: Sun May 09, 2010 2:28 am

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Jul 23, 2014 6:17 am

hi Chupaka


According to your 1st post. Will all people that use more than ex. 50 connection with web browser or torrent client get block for 10 minutes in or outside my nated lan?

pls confirm.

thx
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Thu Jul 24, 2014 1:40 pm

not 50 connections, but 50 connections per second, and only exceeding connections will be blocked, but you can modify a rule to block all packets from the flooding source
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
omidkosari
Trainer
Trainer
Posts: 616
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Thu Jul 24, 2014 2:08 pm

Note: At least up to version 5.6, 'dst-limit' matcher has two bugs:

'Expire' value is 10 times lower than you set; so '10s' is actually 1 second
'dst-limit' matches first 'Burst' packets (as it should be) plus one, and then skips packets for the first second; so if you have Rate set to 32 and Burst set to 0, and you start to flood packets, the rule will match 1 packet, and on 2nd packet it won't match until 1sec passes - that's why you need 'Burst' value at least as high as 'Rate' value
Does the first bug solved in v5.26 ?
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Aug 20, 2014 4:12 pm

Does the first bug solved in v5.26 ?
sorry for the long delay

nope, v6.18 (x86), the bug is still here

also, when WinBox shows this:
dst-limit.gif
(which means '30s' in Terminal and is actually 3s in reality), one can look at it like 3000 ms (ignoring the point), which is truth
You do not have the required permissions to view the files attached to this post.
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
internetolog
just joined
Posts: 5
Joined: Wed Jan 31, 2007 5:40 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sun Nov 09, 2014 2:48 pm

These rules leaves too many tcp connections established counting down.
If I use reject instead of drop, does it solve this problem?
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sun Nov 09, 2014 3:59 pm

instead of dropping, would tarpit work better in reducing CPU and bandwidth used for preventing DoS? I constantly get bombarded by adware botnets trying to route through my router but i find using tarpit frees up a lot of bandwidth and CPU.

Also i noticed that you cant set a rate limit in routerOS because than anything more than the rate limit would passthrough.
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Dec 10, 2014 8:10 pm

Thanks Chupaka.
Did you tried this rule on higher than V6? Is the bug you introduced in the wiki fixed?
Note: At least up to version 5.6, 'dst-limit' matcher has two bugs:
'Expire' value is 10 times lower than you set; so '10s' is actually 1 second
'dst-limit' matches first 'Burst' packets (as it should be) plus one, and then skips packets for the first second; so if you have Rate set to 32 and Burst set to 0, and you start to flood packets, the rule will match 1 packet, and on 2nd packet it won't match until 1sec passes - that's why you need 'Burst' value at least as high as 'Rate' value
----------------------------
Want to learn more and more...
 
User avatar
omidkosari
Trainer
Trainer
Posts: 616
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Jan 10, 2015 12:03 pm

Is it good idea to have following rules in addition to action=drop ?

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=ddosed new-routing-mark=ddoser-route-mark passthrough=no src-address-list=ddoser

/ip route
add distance=1 routing-mark=ddoser-route-mark type=blackhole

MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Jan 10, 2015 12:20 pm

hm-m-m... the idea is interesting, but I'm not sure about packet flow with such route :) if packet won't go to firewall filter after that, then it's good addition. did you check the behaviour?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
omidkosari
Trainer
Trainer
Posts: 616
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Sat Jan 10, 2015 1:10 pm

Yes i checked it .
When add these new rules , packets don't go to firewall filters and the drop rule does not count anymore . But i want to know which one is better ?
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
User avatar
omidkosari
Trainer
Trainer
Posts: 616
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Tue Jan 27, 2015 8:41 am

Have you checked this rules in a BGP router ? I have a scenario which tx goes through ether1 and rx comes from different gre/eoip tunnels .

It seems the router confused and blocks popular websites .

Note: i just want to block ddos TO my customers .

As you can see i have used "connection-state=new in-interface=gre1" and normally websites don't create 8~16 NEW connection to my customers . so i think router could not correctly understand related or established connections and think it is new .

I have also tested dst-limit=8,16,src-and-dst-addresses/10s but no difference
/ip firewall filter
add action=jump chain=forward connection-state=new dst-address-list=customers in-interface=gre1 jump-target=detect-ddos-customers
add action=jump chain=forward connection-state=new dst-address-list=customers in-interface=gre2 jump-target=detect-ddos-customers
add action=jump chain=forward connection-state=new dst-address-list=customers in-interface=eoip1 jump-target=detect-ddos-customers
	
add action=jump chain=detect-ddos-customers connection-state=new dst-address-list=customers jump-target=attack-tcp-src-80 protocol=tcp src-port=80
add action=return chain=attack-tcp-src-80 connection-state=new dst-address-list=customers dst-limit=8,16,dst-address/10s protocol=tcp src-port=80
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=attack-tcp-src-80 connection-state=new dst-address-list=customers protocol=tcp src-port=80
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=attack-tcp-src-80 connection-state=new dst-address-list=customers protocol=tcp src-port=80

add action=jump chain=detect-ddos-customers connection-state=new dst-address-list=customers jump-target=attack-udp-src-80 protocol=udp src-port=80
add action=return chain=attack-udp-src-80 connection-state=new dst-address-list=customers dst-limit=8,16,src-address/10s protocol=udp src-port=80
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=attack-udp-src-80 connection-state=new dst-address-list=customers protocol=udp src-port=80
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=attack-udp-src-80 connection-state=new dst-address-list=customers protocol=udp src-port=80
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Wed Feb 04, 2015 12:04 pm

sorry for the long delay

I think, routing to blackhole is better just because it drops packets earlier (on routing decision step), without checking filter rules. anyway, you still need filter rules for the first packet, which is detected after 'prerouting', and for dst-natted packets if any

on production routers (v6.7-6.10) we're currently using something like "dst-limit=16,96,src-and-dst-addresses/1m40s" - no complaints from customers so far, and gigabytes of dropped traffic :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
phendry
Member Candidate
Member Candidate
Posts: 258
Joined: Fri May 28, 2004 4:42 pm

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Thu Apr 02, 2015 6:38 am

we're currently using something like "dst-limit=16,96,src-and-dst-addresses/1m40s" - no complaints from customers so far, and gigabytes of dropped traffic :)
Hi Chupaka. This limit seems really low to me. Surely if you had asymmetric routing on your network it would only take 2 VoIP calls from a single customer site to exceed this limit?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Thu Apr 02, 2015 2:41 pm

Hi Chupaka. This limit seems really low to me. Surely if you had asymmetric routing on your network it would only take 2 VoIP calls from a single customer site to exceed this limit?
I put those rules on access routers, so there's no asymmetric routing

and yes, in case of asymmetric routing, if router sees constant UDP stream without replies - it looks suspicious anyway ;)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
phendry
Member Candidate
Member Candidate
Posts: 258
Joined: Fri May 28, 2004 4:42 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Apr 02, 2015 3:12 pm

DDoS prevention is needed at eBGP peering points to stop the flood hitting your infrastructure. Assuming you have multiple BGP peers in physically different locations it is very likely you'll get asymmetric routing. Nothing suspicious about that.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Apr 02, 2015 5:51 pm

okay, that again confirms that one should not blindly copy any configs found in the Internet, as many things depend on the topology :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
dfariazo
just joined
Posts: 2
Joined: Tue Dec 09, 2014 5:15 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Wed Apr 15, 2015 1:51 am

what you think about this http://wiki.mikrotik.com/wiki/DDoS_Dete ... d_Blocking, they redirect to this post but are different
Sunday and Monday were horrible days...

It was the first time our network became the source of DDoS attack. TechSupport woke me up at about 13:00 - users were complaining about very slow Internet access with high packet drop rate. Guess what I did first? Yes, after a few minutes I rebooted the router :) And guess what? After reboot, the picture stayed the same. Even pinging router's address (or 127.0.0.1) from the router itself was showing 200-500ms RTT with 50% of timeouts.

After about fifteen minutes of searching and trying I identified that the reason was my firewall filter fules for limiting the number of simultaneous TCP connections per user: they were showing high rate of dropped packets, and when I was disabling them, router was becoming stable again.

It appeared that some kind of virus or botnet on customers' computers was attacking single IP address (some Lineage II game server) by creating huge number of HTTP requests to the host (when I blocked any packets to that server, filter rule was dropping about 4000 new connections per second). So, when 'connection-limit' matcher was trying to count active user's connections a few thousand times per second, it was killing the router completely.

In Monday, attacked IP addresses changed, so this horror returned back :) After a dozen of minutes I came to this solution:
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
It dynamically creates two address lists: attackers ('ddoser') and attacked hosts ('ddosed'), and blocks packets from the former to the latter. Works like a charm =)

Hope this will help somebody to protect his routers from flooding...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Apr 16, 2015 5:34 pm

what you think about this http://wiki.mikrotik.com/wiki/DDoS_Dete ... d_Blocking, they redirect to this post but are different
as you can see in page history, that was me who created and edited that article :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Apr 30, 2015 11:30 pm

what you think about this http://wiki.mikrotik.com/wiki/DDoS_Dete ... d_Blocking, they redirect to this post but are different
as you can see in page history, that was me who created and edited that article :)
If you want, add this to your article:

ADD ONE HONEYPOT IP, like what I do with spamhouse with one real mail address, but any mail sended to that address causing the sender's IP to go directly on blacklist...... ;P

Any external IP trying to contact the non-active reapublic IP, go directly to SCANNER address list, and every packet coming from scanner address list are dropped, except the TCP are tarpitted ;)

@SCANNER = address list of potential DDoS or DoS or SCANNER / SPAMMER

1.2.3.4 = One of YOUR REAL SURELY UNUSED IP ADDRESS
ether1 = your INTERNET interface
safe_address_list = IP whitelist containing all your subnet and IP of secure services

/ip firewall filter
add action=add-src-to-address-list address-list=@SCANNER chain=forward comment=HONEYPOT dst-address=1.2.3.4 in-interface=ether1 src-address-list=!safe_address_list
add action=tarpit chain=forward in-interface=ether1 protocol=tcp src-address-list=@SCANNER
add action=drop chain=forward in-interface=ether1 protocol=!tcp src-address-list=@SCANNER
I'm Italian, not English. Sorry for my imperfect grammar.
 
netwpl
newbie
Posts: 26
Joined: Fri Jun 22, 2012 8:09 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Jul 23, 2015 10:13 pm

ive setup this DDos scenario to protect our internet-upstreams.

ive used 2physical interfaces:

eth1 connected to our upstream-provider
eth2 connected to our network-device

bridge1 with eth1 and eth2 so that the traffic can flow transparent through the ccr and the BGP session between our upstream-provider and our network-device gets established.

everything seems to work fine, except 1 customer is complaining about his IPSec tunnel.

- Customer has a site to site vpn tunnel between two checkpoint gateways that are managed by two different management stations.
- VPN is supposed to be certfiicate based but it was failing so customer changed the VPN to Preshared secret and it is working now.
- When converted back to Certificate based VPN, VPN tunnel again failed during Phase 1.
- VPN tunnel is between SIDE1 and SIDE2 sites.
- IKE Phase 1 is initiated by SIDE1 side. <-- from outside our network
- On SIDE1 side in ike.elg file we are able to see IKE Phase 1 first 5 packets and packet 6 is not recieved from SIDE2
- On SIDE2 in ike.elg file we see all 6 packets of Phase 1 and its trying to initiate the Phase 2.
- Using Tcpdump captures our findings are as follows:


could the DDos protection be the cause that the customer cant initialize his IPSec tunnel anymore, or could it be a MTU size problem with the CCR.

 9    ;;; jump-2-forward-queue!
      chain=forward action=jump jump-target=detect-ddos connection-state=new in-interface=DDos-bridge log=no log-prefix="" 

10    ;;; !!!!!! detect ddos aufgrund der Anzahl der connections
      chain=detect-ddos action=return dst-limit=64,128,src-and-dst-addresses/11s log=no log-prefix="" 

11    ;;; not_our-networks-BASIS-add.-LIST
      chain=detect-ddos action=return dst-address-list=!LIST log=no log-prefix="" 

12    chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix="" 

13    ;;; ddoser_vergangenheit
      chain=detect-ddos action=add-src-to-address-list address-list=ddoser_vergangenheit address-list-timeout=0s log=no log-prefix="" 

14    chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix="" 

15    ;;; ddosed_vergangenheit
      chain=detect-ddos action=add-dst-to-address-list address-list=ddosed_vergangenheit address-list-timeout=0s log=no log-prefix="" 

16 X  ;;; drop DDOSER und DDOSED hosts - REMINDER ev. TARPIT?
      chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix="" 


 
miq
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Fri Nov 06, 2009 3:18 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Mon Oct 31, 2016 11:41 pm

@Chupaka, maybe it's good idea to move rule:
/ip firewall filter
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
before jump action? When this rule it's on the end all packets going through all anti-ddos chain chains even if ddoser and ddosed are already on proper lists.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Tue Nov 01, 2016 2:21 am

@Chupaka, maybe it's good idea to move rule:
/ip firewall filter
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
before jump action? When this rule it's on the end all packets going through all anti-ddos chain chains even if ddoser and ddosed are already on proper lists.
but in that case 'dst-limit' matcher's tables won't be refreshed by packets from currently active 'ddos flows', so when address list entry timeouts, it will take another 'full detection cycle' to add them back. yes, that's theoretical difference, and I don't know exact practical impact of it, but I was thinking about this case while developing the rule set, and still did what you see in my post :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
miq
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Fri Nov 06, 2009 3:18 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Tue Nov 01, 2016 1:50 pm

but in that case 'dst-limit' matcher's tables won't be refreshed by packets from currently active 'ddos flows', so when address list entry timeouts, it will take another 'full detection cycle' to add them back. yes, that's theoretical difference, and I don't know exact practical impact of it, but I was thinking about this case while developing the rule set, and still did what you see in my post :)
I'm trying to look closer to this rules, because I have problem with massive dos (shitty IoT) from my clients. And sometimes my CCR1036-8G-2S+ dying, (I write about this in this topic: http://forum.mikrotik.com/viewtopic.php ... 7&p=565972). And I'm think it may be a problem when really lot of connection from network (before queue, so it's really fast) going to you router.

I will try to move this rule at the beginning of antidos chains, and try my theory, because I already haven't idea what is wrong :/.
 
alexvicol
just joined
Posts: 5
Joined: Thu Nov 03, 2016 8:32 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Nov 03, 2016 10:54 pm

Hi,
I have:
 1   chain=forward action=jump jump-target=detect-ddos connection-state=new log=no log-prefix=""
 2   chain=detect-ddos action=return src-address-list=exceptions log=no log-prefix=""
 3   chain=detect-ddos action=return dst-limit=32,32,src-and-dst-addresses/10s log=no log-prefix=""
 4   chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix=""
 5   chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix=""
 6   chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix=""
Where exceptions list contains 3 IP's with dns servers , but still those 3 ip's get added in ddosed list and my server ips in the ddoser list.
The counters for that exception rule is 0 this means it doesn't get hit.
What's wrong in these rules?
 
miq
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Fri Nov 06, 2009 3:18 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Nov 04, 2016 11:24 am

Hi,
I have:
 1   chain=forward action=jump jump-target=detect-ddos connection-state=new log=no log-prefix=""
 2   chain=detect-ddos action=return src-address-list=exceptions log=no log-prefix=""
 3   chain=detect-ddos action=return dst-limit=32,32,src-and-dst-addresses/10s log=no log-prefix=""
 4   chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix=""
 5   chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix=""
 6   chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix=""
Where exceptions list contains 3 IP's with dns servers , but still those 3 ip's get added in ddosed list and my server ips in the ddoser list.
The counters for that exception rule is 0 this means it doesn't get hit.
What's wrong in these rules?
If you trying to connect to DNS servers you should use dst-address-list in rule #2
 
alexvicol
just joined
Posts: 5
Joined: Thu Nov 03, 2016 8:32 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Nov 04, 2016 11:41 am

Hi,
Already tried that.
Same thing:
1    chain=forward action=jump jump-target=detect-ddos connection-state=new log=no log-prefix=""
2    chain=detect-ddos action=return dst-address-list=exceptions log=no log-prefix=""
3    chain=detect-ddos action=return dst-limit=32,32,src-and-dst-addresses/10s log=no log-prefix=""
4    chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix=""
5    chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix=""
6    chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix=""
 
 
miq
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Fri Nov 06, 2009 3:18 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Nov 04, 2016 12:10 pm

Hi,
Already tried that.
Same thing:
1    chain=forward action=jump jump-target=detect-ddos connection-state=new log=no log-prefix=""
2    chain=detect-ddos action=return dst-address-list=exceptions log=no log-prefix=""
3    chain=detect-ddos action=return dst-limit=32,32,src-and-dst-addresses/10s log=no log-prefix=""
4    chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m log=no log-prefix=""
5    chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m log=no log-prefix=""
6    chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix=""
 
I don't know why this doesn't work. I set exceptions on my router and it works perfect. You should try use torch to check src and dst address, maybe it's different than you expect. And check your firewall rules, maybe this adresses are returned from forward before detect-dos chain.
 
alexvicol
just joined
Posts: 5
Joined: Thu Nov 03, 2016 8:32 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Nov 04, 2016 1:34 pm

In torch if I run with the Ip of the dns in src. address it displays the traffic.
I have no other firewall rules, just these ones.
How can I check if the adresses are returned from forward before detect-dos chain?
 
miq
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Fri Nov 06, 2009 3:18 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Nov 04, 2016 2:11 pm

In torch if I run with the Ip of the dns in src. address it displays the traffic.
I have no other firewall rules, just these ones.
How can I check if the adresses are returned from forward before detect-dos chain?
It's good idea to add log action in desired place.
 
SKYNET360
just joined
Posts: 9
Joined: Wed Oct 05, 2016 7:34 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Wed Nov 30, 2016 7:16 pm

Chupaka

Can you post the correct edited config that I lost you guys.

Thanks
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Dec 01, 2016 3:29 pm

the correct edited config that I lost you guys.
correct? what's incorrect in posts above?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
SKYNET360
just joined
Posts: 9
Joined: Wed Oct 05, 2016 7:34 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Dec 01, 2016 7:11 pm

I want to build a super powerful router that can handle 30GIG of ddos attack using firewall rules without any problems what do you guys recommend
 
SKYNET360
just joined
Posts: 9
Joined: Wed Oct 05, 2016 7:34 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Dec 01, 2016 7:12 pm

the correct edited config that I lost you guys.
correct? what's incorrect in posts above?..

I found it thanks
 
SKYNET360
just joined
Posts: 9
Joined: Wed Oct 05, 2016 7:34 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Dec 02, 2016 9:30 pm

Need a little help with this rule

/ip firewall filter
add action=return chain=detect-ddos comment=DOS-Exceptions disabled=no \
src-address-list=DOS-Exceptions

I have this rule as 2nd

with DOS-Exceptions
8.8.8.8 and outer known IPs that I need to make sure they don't get hit with ddos rule.
 
SKYNET360
just joined
Posts: 9
Joined: Wed Oct 05, 2016 7:34 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Dec 02, 2016 9:31 pm

Need a little help with this rule

/ip firewall filter
add action=return chain=detect-ddos comment=DOS-Exceptions disabled=no \
src-address-list=DOS-Exceptions

I have this rule as 2nd

with DOS-Exceptions
8.8.8.8 and outer known IPs that I need to make sure they don't get hit with ddos rule.
IP 8.8.8.8 still gets hit as ddosed
 
User avatar
Murmaider
Member Candidate
Member Candidate
Posts: 121
Joined: Fri Oct 30, 2015 10:10 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sat Dec 03, 2016 6:40 am

I want to build a super powerful router that can handle 30GIG of ddos attack using firewall rules without any problems what do you guys recommend
You won't stop a 30Gb/sec DDoS with firewall rules. Firewalls are a access control technology designed to secure unauthorized entry or to limit / restrict the flow of traffic.

Firewall rules themselves are actually very inefficient in any large DDoS attack. A large attack you will easily exhaust your connection state table in a few seconds and you will start dropping packets. Firewall rules also have a massive impact on packets-per-second through a router as every single packet has to be inspected.

In order for the firewall to inspect traffic (and traffic based on state), it needs to accept the traffic on the routers incoming interface in order to make a decission (drop, forward, etc). Even if you have a drop rule, the traffic is still "accepted" on the interface, inspected and then dropped.

While this prevents the DDoS traffic from leaving your router on the outgoing interface, your router still has to do the job of accepting the traffic and inspecting it against the hierarchy of firewall rules.

You better off using RP Filter (loose) and Source-based blackholes for DDoS filtering. This is by far more efficient and can actually reduce the incoming traffic on the routers interface, as well as the CPU usage on the router during the attack.

I did a post on this here - http://forum.mikrotik.com/viewtopic.php?t=114664
In the youtube video you can see what I am referring to above with the traffic still hitting the incoming interface when the firewall drop rule is used. You will see how the traffic drops off when I use the source-based blackhole and how the CPU usage goes down to 0%.

If you want to automate this DDoS protection then look at Wanguard to detect ddos traffic and push the source-based blackholes via BGP to your mikrotik (which must have RP Filter set to Loose), or use it to trigger an GRE tunnel to a DDoS cloud provider.
 
User avatar
zipvault
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sat Dec 24, 2016 8:38 pm

.
chupaka i just saw youtube video of you hitting 600mb on a speed test on mikrotik

nice

how can i do this :)
ZipVault
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Mon Dec 26, 2016 2:19 am

youtube video of me?.. where? :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
zipvault
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Dec 29, 2016 12:05 pm

Has anyone seen cloudflare

They specialise in ddos protect

Looks like i good service they boast stopping 600gbps attack

How can i build something like this for myself at that scale with mikrotik
ZipVault
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24262
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Dec 29, 2016 12:07 pm

This is like saying "I saw youtube.com and it looks interesting. How can I build a webpage like that at home"
No answer to your question? How to write posts
 
User avatar
zipvault
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Dec 29, 2016 12:26 pm

Your funny normis you make me laugh i understand you believe it is a grandeur task, but anything is possible


_______
Dos approach forum = " i was just reading into layer 3 layer 4 and layer 7 ddos

Cloud based seems the best current option as it can implement multiple processing paths

Looking at options and how it works so i can build my understanding.

I see fortinet have a promising ddos hardware box

I wonder what it takes and what is involved maybe its possible for us to make one for mikrotik"
ZipVault
 
Jeanluck
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Apr 19, 2011 7:07 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Mar 09, 2017 7:51 pm

Hi,
I check that:
add chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags= syn

with a single user with less than 200 total connetions, skip this rule, and the netxt drop rule, drop several connections.
I check the point is "burst" parameter, 5 is too low, but in all examples I see, is set to 5.

So, I don't undertand. What do exactly the burst parameter in this rule? and, which must be the value for a correct work?
at least "burst = limit connection"?

Thanks!
 
R1CH
Forum Veteran
Forum Veteran
Posts: 904
Joined: Sun Oct 01, 2006 11:44 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Mar 09, 2017 11:52 pm

Your funny normis you make me laugh i understand you believe it is a grandeur task, but anything is possible


_______
Dos approach forum = " i was just reading into layer 3 layer 4 and layer 7 ddos

Cloud based seems the best current option as it can implement multiple processing paths

Looking at options and how it works so i can build my understanding.

I see fortinet have a promising ddos hardware box

I wonder what it takes and what is involved maybe its possible for us to make one for mikrotik"
The only way to beat a DDoS is to have more bandwidth than the attacker.
 
Jeanluck
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Apr 19, 2011 7:07 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Mar 10, 2017 10:12 am

It's not right... Sometimes the atacker use a bit only, but cause a 100% CPU

Please someone can explain me, what make exactly the burst parameter. I think that 400,5 is not right.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Mar 10, 2017 12:33 pm

add chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags= syn
I don't like that there are both 'connection-state' and 'tcp-flags=syn'. Why not just use one of them?
Please someone can explain me, what make exactly the burst parameter. I think that 400,5 is not right.
it means 'first 5 packets are not checked by 'limit' parameter, then allow 400 packets per second'
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Jeanluck
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Apr 19, 2011 7:07 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Mar 10, 2017 1:52 pm

Thanks!

But, I check that 100,1 cause a lot of packets drop in the next drop rule, but 80,20 has no packet loss.
Then, if just "burst" packets are not checked, why 100,1 drop a lot, and 80,20 none? may be the same or similar
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Mar 10, 2017 2:44 pm

But, I check that 100,1 cause a lot of packets drop in the next drop rule, but 80,20 has no packet loss.
Then, if just "burst" packets are not checked, why 100,1 drop a lot, and 80,20 none? may be the same or similar
the reason is the way how the allowed rate is calculated

you can imagine it as a counter: "N allowed packets left"

when first packet arrives, the counter is initialized by 'burst' value. the packet is accepted, counter is decremented by 1. then each 'Time' (1 second by default) the counter is set to Rate, and each packet decrements it by 1. packet is accepted if counter is greater than or equal to zero

in case of '100,1' the problem is within the first second: first packet arrives, counter=1, packet is accepted, counter=0 - and for the rest of this second no more packets will be accepted. in 1s counter will become 100, and 100 more packets will be accepted

that's why I prefer to set burst=rate+some_starting_value, not just some_starting_value :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Jeanluck
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Apr 19, 2011 7:07 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sat Mar 11, 2017 3:09 pm

In "limit" wiki mikrotik is:
"burst - initial number of packets or bits to match: this number gets recharged every 10ms so burst should be at least 1/100 of rate per second "
(every 10ms, not every 1seg, so I don't understand well)

Can be then?
- Burst = packet limit every 10ms
- Rate = packet limit every 1000ms (== 1 seg.). In this point, I think that total rate is packets in 1 seg, minus burst number in every 10ms period

For example, this rates fro 20,5
[10ms - 4 packets] - pass all -> rate=0+4=4
[10ms - 8 packets] - pass 5, and burst drop 3 -> rate=rate+5=9
[10ms - 5 packets] - pass all -> rate = rate + 5 =14
[10ms - 15 packets] - pass 5 and burst drop 10 -> rate = rate+5=19
[10ms - 4 packets] - pass one packet, because rate has reached the 20 limit, and drop all packets until the next second start

works in this way?

My rule would be:
"add action=return chain=DDOS_TCP_SYN comment="DDOS Connection Limit TCP SYNs" connection-state=new limit=20,5 protocol=tcp tcp-flags=syn
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sun Mar 12, 2017 11:14 pm

Yep, looks like it can be the truth. I thought 'limit' should work like 'dst-limit' :) But it appeared they have a bit different descriptions...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Wed Mar 22, 2017 9:20 am

Hi,

I added your lines on first post Chupaka and I see packets / bytes on jump and return on my firewall, but I want to know how could I see what packets are, what IP its and where could I see if that traffic is DDoS or simply traffic. Basic how I could monit that traffic to avoid DDoS attacks.


6 chain=forward action=jump jump-target=block-ddos connection-state=new
7 chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed
8 chain=block-ddos action=return dst-limit=50,50,src-and-dst-addresses/10s log=no
9 chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
10 chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m

Note: I checked that its working, I see IP on "Address list", now I have another question. Are there way to add any whitelist? In "Address list" I have good IPs banned and I want or adjust values burst and rate (50, 50 now) or whitelist some IPs.
Now I changed burst and rate to 100, is it much?

Thanks.
 
janyao
just joined
Posts: 7
Joined: Thu Mar 16, 2017 1:36 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Wed Mar 22, 2017 11:20 am

thank you for sharing your experience.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Wed Mar 22, 2017 1:49 pm

Are there way to add any whitelist?
just add one more 'return' rule next to the current 'return' rule:
add chain=block-ddos src-address-list=whitelisted-from-ddos-checker action=return
and then use this address-list for whitelisting
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Wed Mar 22, 2017 2:21 pm

Are there way to add any whitelist?
just add one more 'return' rule next to the current 'return' rule:
add chain=block-ddos src-address-list=whitelisted-from-ddos-checker action=return
and then use this address-list for whitelisting
Thanks you, a stupid question. I normally use MK from interface web, how could I change the rule's order? I have some rules in middle (spamhaus rules) and I would like to keep ddos rules together.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Wed Mar 22, 2017 3:09 pm

I normally use MK from interface web, how could I change the rule's order?
just drag'n'drop the rule by your mouse :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
aarango
Member Candidate
Member Candidate
Posts: 159
Joined: Wed Nov 30, 2016 7:55 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Thu Mar 23, 2017 8:13 am

I normally use MK from interface web, how could I change the rule's order?
just drag'n'drop the rule by your mouse :)
:D I feel stupid now! I tried a lot of things less that...
 
janyao
just joined
Posts: 7
Joined: Thu Mar 16, 2017 1:36 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Mar 24, 2017 8:24 am

thanks for sharing.
 
User avatar
nichky
Long time Member
Long time Member
Posts: 527
Joined: Tue Jun 23, 2015 2:35 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Mar 24, 2017 10:28 am

From MikroTik wiki about your post.
i have no idea what's the mining of this part configuration

add chain=detect-ddos src-address=192.168.0.1 action=return

https://wiki.mikrotik.com/wiki/DDoS_Det ... d_Blocking

it's local address?

excellent rules, well done
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Mar 24, 2017 11:20 am

i have no idea what's the mining of this part configuration

add chain=detect-ddos src-address=192.168.0.1 action=return
It's about "One may want also add some exceptions (like DNS servers - it won't be good if they will be blocked)" - that's the server which needs unlimited access
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
nichky
Long time Member
Long time Member
Posts: 527
Joined: Tue Jun 23, 2015 2:35 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Fri Mar 24, 2017 12:52 pm

got idea. Let us know more about your rules ;) :)

Thanks
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
magnitude
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Thu Jun 23, 2011 10:00 pm
Location: India, New Delhi

Re: DDoS story, or WARNING: use 'conection-limit' with cauti

Fri Apr 21, 2017 8:26 pm

protocol is tcp source ip :115.238.184.5, source port 50006
when that happen i have traffic allmost on all public ip in subnet /23 around 360kbps per ip
and upload on my network is 90-150Mbps.

How did u solve this problem,,,i am also facing similar problem,,,my all public ip in subnet is affected by unknown traffic.
 
User avatar
nichky
Long time Member
Long time Member
Posts: 527
Joined: Tue Jun 23, 2015 2:35 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sun Sep 17, 2017 2:58 am

how you recommending to set up this rule,on the top or will be okay if i will apply at the end of the firewall list?

Thanks a lot
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Mon Sep 18, 2017 10:06 am

I'd say, it depends on your current rules :)

but in general it's better to place them on the top: they are designed to block abnormal traffic and to pass the rest to the bottom rules, not to accept it
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Rahl
just joined
Posts: 3
Joined: Sun Jun 02, 2019 12:34 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sun Nov 03, 2019 4:22 am

I own a few things from Mikrotik.
One is a CCR1009-8G-1S-1S+ router.
I have tried ti get thease rules to work with it but the return only returns back to the begining and afterthat there is no saving to address list of ddos attacks or other common attacks.
Is it the script that is to obselet or is it something i am missing.
I have added it in mangle without sucess and even in filter still without success.
I would be glade if some one could help me along the way because i have 2 web servers inside the my lan that works great but is geting picked on.
I hope some one has an answer for this.

Many Thanks Roberth (Sweden)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Mon Nov 04, 2019 11:02 pm

So, what exactly is not working for you? What do you expect and what actually happens?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Rahl
just joined
Posts: 3
Joined: Sun Jun 02, 2019 12:34 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sun Nov 10, 2019 4:40 am

I want it to stop attckers against port 80 and 443 when they are enough of the requests . Like 4 per IP or some thing like that ??
 
sindy
Forum Guru
Forum Guru
Posts: 3904
Joined: Mon Dec 04, 2017 9:19 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sun Nov 10, 2019 1:57 pm

First, what is the context?

Do you want to restrict the number of newly established connections (or just connection attempts) coming from clients in your internal network towards any http/https servers in the internet over a short period of time, or do you want to protect one or just a few servers in your internal network from (D)DoS attacks coming from the internet?

The firewall rules will be almost the same in both cases, but the result may not be as good as you expect in the latter case, because even if you drop the incoming SYN packets on the router, its uplink will still get clogged with them. So the load to the protected server itself will be low, but if the DDoS bandwidth exceeds the available bandwidth on the uplink, the service will be limited for everyone anyway as many (maybe most) connection attempts will never make it to your network.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Rahl
just joined
Posts: 3
Joined: Sun Jun 02, 2019 12:34 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sun Nov 10, 2019 2:23 pm

@Sindy
The context is my two diffrent Project i have behind a nat firewall.
What i want is some how to stop to many Connections calls on port 80 and 443 within a specific time.
If im correct its only new package that is in this line or am i wrong ??
I would really like to learn both setttings to be able to test it for my self..
As of today i am not ddos affected but there are alot of attemps to hack the web servers.

I hope that makes it more clearer.

// Roberth
 
caspat
newbie
Posts: 41
Joined: Wed Apr 28, 2010 3:55 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sun Nov 10, 2019 3:05 pm

Hi, i have read in the changelog that the dst-limit bug have been fixed in version 6.32, can someone put this info on the wiki page and maybe change the example.
thanks!
 
sindy
Forum Guru
Forum Guru
Posts: 3904
Joined: Mon Dec 04, 2017 9:19 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Sun Nov 10, 2019 3:40 pm

I hope that makes it more clearer.
Partially, as my warning remains valid - if the bottleneck is the uplink bandwith and not the computing power of the server, no degree of magic on the firewall between the uplink and the server can prevent the service from becoming inaccessible for well-behaving users if most of the bandwidth capacity gets exhausted by connection attempts from rogue "users".

As of today i am not ddos affected but there are alot of attemps to hack the web servers.
So you want to limit the amount of brute-force password guessing attempts by rate-limiting them. OK, just bear in mind that passwords with a good entrophy (randomness) are a better protection against this particular type of attack, and that rate limiting provides no protection against attacks deploying some stack vulnerabilities (where just one or two connections are enough to get in).

What i want is some how to stop to many Connections calls on port 80 and 443 within a specific time.
If im correct its only new package that is in this line or am i wrong ??
Seems there will be a bit of a language barrier here :) By connection call, you mean an attempt to establish a new connection, correct? So want you limit how many new connections a particular client*) remote IP address may establish per unit of time, not how many connections in total a client can have ongoing at the same time.

If so, then yes, the dst-limit match condition is what you need, with the mode value set to one of (addresses-and-dst-port | src-address | src-and-dst-addresses) according to the granularity you will provide manually (i.e. if you use a dedicated rule like this for each destination address and port, setting mode to src-address will be sufficient).

This match condition is actually an entry point to a process which maintains an associative array of counters and timers indexed by the parameters, so you may get some surprises on a device with a limited amount of RAM.

And yes, you need to let only packets attributed with connection-state=new be handled by rules with the dst-limit match condition, as otherwise you would rate-limit (or break) the individual connections themselves, not the new connection attempts. But if you build on the firewall rules from the default configuration, this happens automatically, because in the default firewall configuration, the first few rules in each filter chain deal with all the other connection-state values, and whatever gets past those first few rules is attributed with connection-state=new so there is no need to repeat this match condition in every rule.

*) I believe you do realize that connections attempts from many individual human users may come from the same public IP if their PCs are in a private network NATed behind that public IP. So for a serious public service, especially visited by mobile users, a limitation of connection attempt rate would be too restrictive.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Mon Nov 11, 2019 8:50 am

Hi, i have read in the changelog that the dst-limit bug have been fixed in version 6.32, can someone put this info on the wiki page and maybe change the example.
thanks!
Hi. Are you sure it's the same bug? IIRC, I checked this about a year ago — it was still here...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
rodolfo
Long time Member
Long time Member
Posts: 543
Joined: Sat Jul 05, 2008 11:50 am

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Mon Nov 11, 2019 10:34 am

Ok, this post is ultra-old but the argument is always hot.
I have a question.
Your initial code of this post, coud be written as follows?
(to avoid the use of connection tracking)
/ip firewall raw
add chain=prerouting  action=jump  jump-target=block-ddos protocol=tcp tcp-flags=syn
add chain=prerouting src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
The true question is: in TCP, a filter over syn flag, coud replace the filter connection=new?

Thanks
rodolfo
IZ0UQV
 
caspat
newbie
Posts: 41
Joined: Wed Apr 28, 2010 3:55 pm

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Mon Nov 11, 2019 1:02 pm

Hi, i have read in the changelog that the dst-limit bug have been fixed in version 6.32, can someone put this info on the wiki page and maybe change the example.
thanks!
Hi. Are you sure it's the same bug? IIRC, I checked this about a year ago — it was still here...
I'm not sure, i just read it in changelog...


What's new in 6.32.1 (2015-Sep-07 13:03):

*) RB911/912 - fixed lock-up;
*) RB493G - fixed reboot loop;
*) firewall - do not lose firewall mangle rules on start-up;
*) defconf - fix default configuration for routers without wireless package.

What's new in 6.32 (2015-Aug-31 14:47):

*) trafflow - added support for IPv6 targets;
*) switch - fixed port flapping on switch ports of RB750, RB750UP, RB751U-2HnD and RB951-2N (introduced in 6.31)
*) ipsec - added compatibility option skip-peer-id-check;
*) flash - fix kernel failure (exposed by 6.31);
*) bridge firewall - add ipv6 src/dst addr, ip protocol, src/dst port matching to bridge firewall;
*) RB911/RB912 - fix SPI bus lock after fast led blink;
*) ipsec - fix potential memory leak;
*) bridge firewall - vlan matchers support service tag - 0x88a8;
*) ippool6 - try to acquire the same prefix if info matches recently freed;
*) crs switch - allow to unset port learn-limit, new default is unset to allow more than 1023 hosts per port;
*) x86 - fixed 32bit multi-cpu kernel support;
*) chr - add hotspot,btest,traffgen support;
*) revised change that caused reboot by watchdog problems introduced in v6.31;
*) ipsec - use local-address for phase 1 matching and initiation;
*) ipsec - fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;
*) certificates -fixed bug where crl stopped working after a while;
*) ip accounting - fixed kernel crash;
*) snmp - fix system scripts get;
*) hotspot - ignore PoD remote requests if no HotSpot configured;
*) hotspot - fix kernel failure when www plugin aborts on broken html source;
*) torch - add invert filter for src/dst/src6/dst6 addresses ;
*) bonding - add min_links property for 802.3ad mode;
*) snmp - get vlan speed from master interface;
*) hotspot - fix html-directory path on small flash devices;
*) mipsbe - make system shutdown work again;
*) lcd - fixed parallel port LCD display support on multi-cpu x86;
*) bridge - fixed use-ip-firewall-for-vlan in setups with multiple bridges;
*) ipv6 - fixed DHCP-PD client skips some steps when renewing lease;
*) upnp - fixed protocol port selection for upnp protocol comunications;

*) firewall - fixed limit and dst-limit options.

*) winbox - fixed wireless interface l2mtu (VirtualAP and WDS interface creation in winbox)
*) winbox - fixed multiple firewall rule moving in Winbox 2
*) simple queues - restrict all changes in dynamic simple queues
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8318
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

Tue Nov 12, 2019 12:38 pm

The true question is: in TCP, a filter over syn flag, coud replace the filter connection=new?
Generally - yes, I believe. It works only for TCP, and only for full connection cycle (i.e. invalid data frames without SYN packets should be dropped somewhere else), but for simple case it works the same way.
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.

Who is online

Users browsing this forum: No registered users and 155 guests