Community discussions

MUM Europe 2020
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

DOS attacks and bandwidth shaping?

Wed Apr 29, 2015 4:45 pm

I run a wisp and occasionally, maybe every 2-3 months, we get hit with a DOS attack.
Many of our customers are 4-5 wireless hops from our core and we do our bandwidth shaping at the CPE or the AP that the CPE connects to. When we get hit, the wireless hops between the core and the target get saturated and everyone suffers. I am thinking of doing our shaping( at least the download) at the core. I guess the only concern would be the extra cpu power to shape everyone at the core. Any thoughts.
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

DOS attacks and bandwidth shaping?

Thu Apr 30, 2015 6:52 am

Can't you use firewall against those attacks? I would expect you were investigated it and know very well what kind of attack it is.
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Re: DOS attacks and bandwidth shaping?

Thu Apr 30, 2015 9:54 pm

I've looked through the wiki and I haven't seen any examples of firewall rules that would be very effective in protecting against a DDOS attack.
 
User avatar
amt
Long time Member
Long time Member
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: DOS attacks and bandwidth shaping?

Thu Apr 30, 2015 11:16 pm

I've looked through the wiki and I haven't seen any examples of firewall rules that would be very effective in protecting against a DDOS attack.
Check this,
http://forum.mikrotik.com/viewtopic.php?f=2&t=54607
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: DOS attacks and bandwidth shaping?

Thu Apr 30, 2015 11:18 pm

I run a wisp
>>>we do our bandwidth shaping at the CPE or the AP that the CPE connects to
REALLY??? Why when you start the WISP do not do it at the border gateway???

>>>I am thinking of doing our shaping( at least the download) at the core.
The only right place to do shaping is the download at the border gateway and the upload at the CPE!!!
I'm Italian, not English. Sorry for my imperfect grammar.
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Re: DOS attacks and bandwidth shaping?

Tue Dec 15, 2015 7:07 pm

Rextended, we've tried it both ways. Doing all the shaping at the border results in the router getting overloaded so we distribute the load.

And we are doing okay. The next time, if you want to ask a question about our strategy, just ask the question. Don't be a *****.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: DOS attacks and bandwidth shaping?

Tue Dec 15, 2015 7:40 pm

Rextended, we've tried it both ways. Doing all the shaping at the border results in the router getting overloaded so we distribute the load.

And we are doing okay. The next time, if you want to ask a question about our strategy, just ask the question. Don't be a *****.
Rextended is 100% correct. If you mitigate (inbound) DDoS traffic somewhere inside your network, then however many links it takes to carry the flood to your scrubbing system will be overloaded. Scrubbing right at the front door will stop your internal infrastructure from being burdened with the load. If you carry your users' upstream DDoS traffic to a scrubber, then whatever region of the network they're on will also be affected. You don't want to carry DDoS flood traffic even 1 hop more than required.

If the CPU of your upstream border router isn't beefy enough to handle the shaping on a DDoS flood, then you can try filtering the traffic entirely, and if even this isn't possible (due to the attack being completely random ports) or if even this overloads the CPU, then your only remaining option is to blackhole route the target IP until the storm goes by or else you can get your service provider's help in filtering the traffic before it reaches your network.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Re: DOS attacks and bandwidth shaping?

Mon Dec 21, 2015 7:55 am

100% correct? Doesn't make much sense to shape at the core resulting in everyone get poor performance all the time, not just during an attack.
That might work for less than a 1000 clients but trying to shape thousands isn't going to happen efficiently on a single router, I don't care which mikrotik router you have.
 
p3rad0x
Long time Member
Long time Member
Posts: 604
Joined: Fri Sep 18, 2015 5:42 pm
Location: South Africa
Contact:

Re: DOS attacks and bandwidth shaping?

Mon Dec 21, 2015 11:29 am

Next time you are under attack,

Torch the links to see what type of attack it is.

If your clients have public ip's set up on their CPE's. check if allow remote requests is turned off.

Had a issue where all my clients became open DNS relays causing the main links to ge saturated and the clients CPE was pinned at 100% usage.

If I may ask, how much bandwidth and packets are running over the internet facing ports and are they matching up with the usage on your main links combined?
There you go then you touched something ;-) : it only takes a change in wind direction to screw with your nat :-)

Who is online

Users browsing this forum: celoownz, keithy, komdee, MSN [Bot], mzahor123 and 132 guests