Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_under_attack
Trace:
networking:router:mikrotik_under_attack

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_under_attack [2014/05/20 08:58]
gcooper 		networking:router:mikrotik_under_attack [2014/06/03 16:08] (current)
gcooper
Line 10: Line 10:
  
 :!: Consider disabling or deleting these rules after the attacks have subsided to keep from polluting your firewall rule set. :!: Consider disabling or deleting these rules after the attacks have subsided to keep from polluting your firewall rule set.
 +
 +===== Port-Based Solution (may not be ideal) =====
  
 ==== Botnet - UDP Port 30837 ==== ==== Botnet - UDP Port 30837 ====
Line 48: Line 50:
 </file> </file>
  
 +===== Detection Based Solution =====
 +
 +http://forum.mikrotik.com/viewtopic.php?f=2&t=54607&p=278189
 +
 +http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
 +
 +:!: This sample rule set is on the ''forward'' chain.  For traffic destined for router, you would have to use the ''input'' chain.
 +
 +:!: This rule set uses ''ether1'' as WAN (Internet) connection.
 +
 +:!: You can also easily exclude (whitelist) certain hosts.  See [[http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking|DDoS_Detection_and_Blocking]].
 +
 +This example dynamically creates two address lists: attackers (''ddos-source'') and attacked hosts (''ddos-target''), and blocks packets from the former to the latter.
 +
 +<file>
 +/ip firewall filter
 +
 +  add chain=forward action=jump connection-state=new in-interface=ether1 jump-target=detect-ddos \
 +  comment="Detect DDoS Attack"
 +    
 +  add chain=detect-ddos action=return dst-limit=50,100,src-and-dst-addresses/10s \
 +  comment="Detect DDoS Attack - 1"
 +      
 +  add chain=detect-ddos action=add-dst-to-address-list address-list=ddos-target address-list-timeout=1w \
 +  comment="Detect DDoS Attack - 2"
 +    
 +  add chain=detect-ddos action=add-src-to-address-list address-list=ddos-source address-list-timeout=1w \
 +  comment="Detect DDoS Attack - 3"
 +    
 +  add chain=forward action=drop connection-state=new dst-address-list=ddos-target \
 +  src-address-list=ddos-source comment="Drop DDoS Attackers"
 +</file>
 +
 +**Q:** Is there way to make the rule less sensitive? When I browse to my web server, Firefox hangs and retries too many times and I'm flagged as a ''ddos-source''.
 +
 +**A:** ''dst-limit=32,32'' is what you're looking for. try to change it to ''dst-limit=32,256'' for higher burst.
networking/router/mikrotik_under_attack.1400597880.txt.gz · Last modified: 2014/05/20 08:58 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki