dos attack mikrotik
TRANSCRIPT
DoS attack protection 1
DoS attack protection
In generalDoS (Denial of Service) attack can cause overloading of router. Which means what CPU usage goes to 100% androuter could be unreachable with timeouts. Every operations on packets which can take significant CPU power likefirewalling(filter, nat, mangle), logging, queues can cause overloading if too much packets per second arrives torouter.Generally there is no perfect solution to protect against DoS attacks. Every service could be overloaded by too muchrequests. So there are only some methods for minimization impact of attack.•• Get more powerfull router or server•• Get more faster uplink•• Reduce number of firewall rules, queues and other packet handling actions•• Track attack path and block it closer to source (by upstream provider)
Types
TCP SYN floodMore info: SYN flood [1].
Diagnose
•• Are there too much connections with syn-sent state present?
/ip firewall connection print
•• Is too much packets per second going through interface?
/interface monitor-traffic ether3
•• Is CPU usage 100%?
/system resource monitor
•• Are there too much suspicious connections?
/tool torch
Protection
•• Limit incoming connectionsAddress with too much connections can be added to address list for futher blocking.
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \
action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d
where LIMIT is max. number of connection per IP. LIMIT should be 100 or higher as many services use multipleconnection (HTTP, Torrent, other P2P programs).•• Action tarpitInstead of simply droping attackers packets(action=drop) router can capture and hold connections and with enoughpowerfull router is can kill the attacker.
DoS attack protection 2
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \
connection-limit=3,32 action=tarpit
•• SYN filteringSome advanced filtering can by applied to tcp packet state.
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
action=drop comment="" disabled=no
"syn limit=400" is a threshold, just enable rule in forward for syn packets to get dropped (for excessive amount ofnew connection)•• SYN cookiesMore info: SYN cookies [2]
/ip firewall connection tracking set tcp-syncookie=yes
External links• Denial-of-service attack [3]
References[1] http:/ / en. wikipedia. org/ wiki/ SYN_flood[2] http:/ / en. wikipedia. org/ wiki/ SYN_cookies[3] http:/ / en. wikipedia. org/ wiki/ DoS
Article Sources and Contributors 3
Article Sources and ContributorsDoS attack protection Source: http://wiki.mikrotik.com/index.php?oldid=19149 Contributors: Chronos, Chupaka, Yancho