Hi Terry, Take a look at https://github.com/pavel-odintsov/fastnetmon In combination with ExaBGP it can create /32 routes tagged with a community that can be transited to your upstream peers and stop traffic to the addresses that it has found to be under attack. Mikrotik have also made some improvements recently to improve CCR's resiliency against denial-of-service type attacks. On Tue, Mar 29, 2016 at 10:19 PM, Terry Sweetser <terry+mikrotik@skymesh.net.au> wrote:
Hello Mikrotikians!
Just wondering what ideas and implementations people have tried to detect and block packet floods and other DOS attacks?
I'm currently running 6.33 on X86 hardware and have a non-production box trying a simple PPS rate firewall filter to auto-build a list of target addresses and drop inbound traffic to the list (with a 2h expire time.)
I want to go further and push the list to BGP as /32 blackhole routes to my iBGP and also upstream to the likes of VOCUS who support /32 black holing.
This is also on top of a general purpose filter which is looking for invalid TCP flag combinations to just drop outright.
Frustratingly, the last few DDOS attacks inbound to AS7477 have been TCP SYN/RST at high packet rates, but barely past 25Mbps of payload -- router/os has proven very susceptible to high PPS hitting a single queue (HTB and simple for 1 ip address and/or sub-interface) and turning into a turtle.
-- http://about.me/terry.sweetser
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au