Differences

This shows you the differences between two versions of the page.

--- networking:router:mikrotik_under_attack [2014/06/03 15:13]
gcooper
+++ networking:router:mikrotik_under_attack [2014/06/03 16:08] (current)
gcooper
@@ Line 1: / Line 1: @@
 ====== So Your Mikrotik Firewall is Under Attack ======
 FIXME Unfinished and untested.
@@ Line 12: / Line 10: @@
 :!: Consider disabling or deleting these rules after the attacks have subsided to keep from polluting your firewall rule set.
+===== Port-Based Solution (may not be ideal) =====
 ==== Botnet - UDP Port 30837 ====
@@ Line 50: / Line 50: @@
 </file>
-===== Sample Mikrotik DDoS Rules =====
+===== Detection Based Solution =====
 http://forum.mikrotik.com/viewtopic.php?f=2&t=54607&p=278189
 http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
+:!: This sample rule set is on the ''forward'' chain.  For traffic destined for router, you would have to use the ''input'' chain.
 :!: This rule set uses ''ether1'' as WAN (Internet) connection.
+:!: You can also easily exclude (whitelist) certain hosts.  See [[http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking|DDoS_Detection_and_Blocking]].
+This example dynamically creates two address lists: attackers (''ddos-source'') and attacked hosts (''ddos-target''), and blocks packets from the former to the latter.
 <file>
 /ip firewall filter
-  add action=jump chain=forward comment="Detect DDoS Attack" connection-state=new \
-    disabled=no in-interface=ether1 jump-target=detect-ddos
+  add chain=forward action=jump connection-state=new in-interface=ether1 jump-target=detect-ddos \
-  add action=return chain=detect-ddos comment="Detect DDoS Attack" disabled=no \
+  comment="Detect DDoS Attack"
-    dst-limit=32,32,src-and-dst-addresses/10s
-  add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=\
+  add chain=detect-ddos action=return dst-limit=50,100,src-and-dst-addresses/10s \
-w chain=detect-ddos comment="Detect DDoS Attack" disabled=no
+  comment="Detect DDoS Attack - 1"
-  add action=add-src-to-address-list address-list=ddos-source address-list-timeout=\
-w chain=detect-ddos comment="Detect DDoS Attack" disabled=no
+  add chain=detect-ddos action=add-dst-to-address-list address-list=ddos-target address-list-timeout=1w \
-  add action=drop chain=forward comment="Detect DDoS Attack" connection-state=new \
+  comment="Detect DDoS Attack - 2"
-    disabled=no dst-address-list=ddos-target src-address-list=ddos-source
+  add chain=detect-ddos action=add-src-to-address-list address-list=ddos-source address-list-timeout=1w \
+  comment="Detect DDoS Attack - 3"
+  add chain=forward action=drop connection-state=new dst-address-list=ddos-target \
+  src-address-list=ddos-source comment="Drop DDoS Attackers"
 </file>
+**Q:** Is there way to make the rule less sensitive? When I browse to my web server, Firefox hangs and retries too many times and I'm flagged as a ''ddos-source''.
+**A:** ''dst-limit=32,32'' is what you're looking for. try to change it to ''dst-limit=32,256'' for higher burst.

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools