Hi Terry, Have you tried adding a permit established at the top of the rules to help you reduce the number of rules to work through for the majority of your traffic? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Terry Sweetser (SkyMesh) Sent: Wednesday, March 30, 2016 9:53 AM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] DDoS Mitigation? Hi Alex, This is what I'm currently testing:
/ip firewall filter add action=return chain=ddos-processor dst-limit=8000,2000,dst-address/5s add action=add-dst-to-address-list address-list=ddos-block address-list-timeout=2h chain=ddos-processor log=yes log-prefix=DDOS add action=jump chain=forward connection-state=new jump-target=ddos-processor add action=drop chain=forward dst-address-list=ddos-block add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,syn add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,rst add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,!ack add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,urg add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=syn,rst add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=rst,urg add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp src-port=0 add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" dst-port=0 protocol=tcp add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=udp src-port=0 add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" dst-port=0 protocol=udp
I'm also working on a scheduler script to add a BGP advertisement of the /32, with a set of community strings that would black hole the /32. http://about.me/terry.sweetser On 30/03/16 08:10, Alex Samad - Yieldbroker wrote:
Sounds cool. Is this all in the ROS world.
Would you publish the script ? I would be interested
A
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au