Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_under_attack
Trace:
networking:router:mikrotik_under_attack

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_under_attack [2014/06/03 15:23]
gcooper 		networking:router:mikrotik_under_attack [2014/06/03 16:08] (current)
gcooper
Line 10: Line 10:
  
 :!: Consider disabling or deleting these rules after the attacks have subsided to keep from polluting your firewall rule set. :!: Consider disabling or deleting these rules after the attacks have subsided to keep from polluting your firewall rule set.
 +
 +===== Port-Based Solution (may not be ideal) =====
  
 ==== Botnet - UDP Port 30837 ==== ==== Botnet - UDP Port 30837 ====
Line 48: Line 50:
 </file> </file>
  
-===== Sample Mikrotik DDoS Rules =====+===== Detection Based Solution =====
  
 http://forum.mikrotik.com/viewtopic.php?f=2&t=54607&p=278189 http://forum.mikrotik.com/viewtopic.php?f=2&t=54607&p=278189
  
 http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
 +
 +:!: This sample rule set is on the ''forward'' chain.  For traffic destined for router, you would have to use the ''input'' chain.
  
 :!: This rule set uses ''ether1'' as WAN (Internet) connection. :!: This rule set uses ''ether1'' as WAN (Internet) connection.
 +
 +:!: You can also easily exclude (whitelist) certain hosts.  See [[http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking|DDoS_Detection_and_Blocking]].
  
 This example dynamically creates two address lists: attackers (''ddos-source'') and attacked hosts (''ddos-target''), and blocks packets from the former to the latter. This example dynamically creates two address lists: attackers (''ddos-source'') and attacked hosts (''ddos-target''), and blocks packets from the former to the latter.
Line 61: Line 67:
 /ip firewall filter /ip firewall filter
  
-  add action=jump chain=forward comment="Detect DDoS Attack" connection-state=new +  add chain=forward action=jump connection-state=new in-interface=ether1 jump-target=detect-ddos \ 
-    disabled=no in-interface=ether1 jump-target=detect-ddos +  comment="Detect DDoS Attack"
-     +
-  add action=return chain=detect-ddos comment="Detect DDoS Attack" disabled=no \ +
-    dst-limit=32,32,src-and-dst-addresses/10s+
          
-  add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=\ +  add chain=detect-ddos action=return dst-limit=50,100,src-and-dst-addresses/10s \ 
-    1w chain=detect-ddos comment="Detect DDoS Attack" disabled=no+  comment="Detect DDoS Attack - 1" 
 +       
 +  add chain=detect-ddos action=add-dst-to-address-list address-list=ddos-target address-list-timeout=1w 
 +  comment="Detect DDoS Attack - 2"
          
-  add action=add-src-to-address-list address-list=ddos-source address-list-timeout=\ +  add chain=detect-ddos action=add-src-to-address-list address-list=ddos-source address-list-timeout=1w 
-    1w chain=detect-ddos comment="Detect DDoS Attack" disabled=no+  comment="Detect DDoS Attack - 3"
          
-  add action=drop chain=forward comment="Detect DDoS Attack" connection-state=new +  add chain=forward action=drop connection-state=new dst-address-list=ddos-target 
-    disabled=no dst-address-list=ddos-target src-address-list=ddos-source+  src-address-list=ddos-source comment="Drop DDoS Attackers"
 </file> </file>
  
networking/router/mikrotik_under_attack.1401830636.txt.gz · Last modified: 2014/06/03 15:23 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki