====== So Your Mikrotik Firewall is Under Attack ====== FIXME Unfinished and untested. :!: These rules can be modified for many botnet situations. :!: Logging can be added if needed. :!: The order of rules in your firewall is important. Move these rules to an appropriate place in your firewall order. :!: Consider disabling or deleting these rules after the attacks have subsided to keep from polluting your firewall rule set. ===== Port-Based Solution (may not be ideal) ===== ==== Botnet - UDP Port 30837 ==== Here we see a botnet using UDP port 30837, so we create a permanent blacklist and drop all packets. * We can disable the rules later * We can modify these rules for the next attack * Or we can keep or delete the blacklist and rules later /ip firewall filter add chain=input comment="Drop Blacklisted Botnet Attackers for 10 Days" src-address-list=botnet_blacklist \ action=drop disabled=no add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage3 \ action=add-src-to-address-list address-list=botnet_blacklist address-list-timeout=10d disabled=no add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage2 \ action=add-src-to-address-list address-list=botnet_stage3 address-list-timeout=1m disabled=no add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage1 \ action=add-src-to-address-list address-list=botnet_stage2 address-list-timeout=1m disabled=no add chain=input protocol=udp dst-port=30837 connection-state=new action=add-src-to-address-list \ address-list=botnet_stage1 address-list-timeout=1m disabled=no * Since botnet traffic generally comes slowly from many different hosts, you might have to adjust the ''address-list-timeout'' to a longer period in the "stage" rules to catch more attackers * You might omit the ''address-list-timeout'' from the "stage3" rule to make the blacklist entry permanent. If you feel the need, you can then allow connections not previously blocked. If all you are doing is building a blacklist, omit this rule: add chain=input comment="Accept botnet traffic not previously blocked" protocol=udp dst-port=30837 \ connection-state=new action=accept ===== Detection Based Solution ===== http://forum.mikrotik.com/viewtopic.php?f=2&t=54607&p=278189 http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking :!: This sample rule set is on the ''forward'' chain. For traffic destined for router, you would have to use the ''input'' chain. :!: This rule set uses ''ether1'' as WAN (Internet) connection. :!: You can also easily exclude (whitelist) certain hosts. See [[http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking|DDoS_Detection_and_Blocking]]. This example dynamically creates two address lists: attackers (''ddos-source'') and attacked hosts (''ddos-target''), and blocks packets from the former to the latter. /ip firewall filter add chain=forward action=jump connection-state=new in-interface=ether1 jump-target=detect-ddos \ comment="Detect DDoS Attack" add chain=detect-ddos action=return dst-limit=50,100,src-and-dst-addresses/10s \ comment="Detect DDoS Attack - 1" add chain=detect-ddos action=add-dst-to-address-list address-list=ddos-target address-list-timeout=1w \ comment="Detect DDoS Attack - 2" add chain=detect-ddos action=add-src-to-address-list address-list=ddos-source address-list-timeout=1w \ comment="Detect DDoS Attack - 3" add chain=forward action=drop connection-state=new dst-address-list=ddos-target \ src-address-list=ddos-source comment="Drop DDoS Attackers" **Q:** Is there way to make the rule less sensitive? When I browse to my web server, Firefox hangs and retries too many times and I'm flagged as a ''ddos-source''. **A:** ''dst-limit=32,32'' is what you're looking for. try to change it to ''dst-limit=32,256'' for higher burst.