Distributed Denial of Service Attacks or DDoS is quite popular these days and it’s not hard to guess the the name of the originating country – China/Hong Kong tops the list of the attackers. Huh!
It has been a long time I’m working with mikrotik devices. So, it is not anything new for me. Guess what I faced DDoS first time in my home network. Trust me, it took my whole network down in minutes. So, just imagine what would happen to an enterprise network! Anyways, if you need to know more about it just google it and you will find a whole lot of article on it.
So, whenever you are configuring your mikrotik router for the first time it’s better if you configure the filter rules to prevent the attacks – “Prevention is better than cure!”
General Symptoms:
- Full WAN uplink bandwidth utilisation even if no clients are connected to your router.
- Extremely high latency.
- Several unknown IPs connected to your router’s public IP. [See this from the torch option and sort by Rx/Tx]
- If you are curious enough and do some IP lookups you can see those IPs are of mainly CHINANET network. Beware!!
Some important tips:
- Disable DNS if not required.
- If DNS – Allow remote request is enabled, make sure appropriate filter rule is set to prevent incoming DNS attacks.
add action=drop chain=input dst-port=53 protocol=udp add action=drop chain=input dst-port=53 protocol=tcp
- Disable SSH, Telnet access if not required.
- Change HTTP port to some other port other than port 80.
Solution (CLI Based):
/ip firewall filter add action=jump chain=forward connection-state=new jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
So, what am I doing here? It’s not rocket science, simple filter logics! But before this you need to have the concept of DDoS – What, why, how! Thanks to Mikrotik’s Wiki and Router OS manual which helped me to figure it out.
- First we will capture all the new connections made and pass them to a dedicated firewall chain.
- Then for each source and destination IP address pair we will setup limit for number of packets per second (pps) and their reset timers and then passes control back to the chain from where the jump took place.
- After we have the packets exceeding our predefined pps, we add their source to ‘ddoser’ and the target to ‘ddosed’ address lists.
- Then we drop all packets flowing through the router if their IPs matches with the address list.
That’s it! We are good to go. But I will suggest your to talk with your upstream provider if you are facing these attacks very often as it is always a good idea too block DDoS at source. Also it increases our CPU usage if we don’t have a powerful router at our disposal…