Hello Mikrotikians! Just wondering what ideas and implementations people have tried to detect and block packet floods and other DOS attacks? I'm currently running 6.33 on X86 hardware and have a non-production box trying a simple PPS rate firewall filter to auto-build a list of target addresses and drop inbound traffic to the list (with a 2h expire time.) I want to go further and push the list to BGP as /32 blackhole routes to my iBGP and also upstream to the likes of VOCUS who support /32 black holing. This is also on top of a general purpose filter which is looking for invalid TCP flag combinations to just drop outright. Frustratingly, the last few DDOS attacks inbound to AS7477 have been TCP SYN/RST at high packet rates, but barely past 25Mbps of payload -- router/os has proven very susceptible to high PPS hitting a single queue (HTB and simple for 1 ip address and/or sub-interface) and turning into a turtle. -- http://about.me/terry.sweetser
Hi Terry, Take a look at https://github.com/pavel-odintsov/fastnetmon In combination with ExaBGP it can create /32 routes tagged with a community that can be transited to your upstream peers and stop traffic to the addresses that it has found to be under attack. Mikrotik have also made some improvements recently to improve CCR's resiliency against denial-of-service type attacks. On Tue, Mar 29, 2016 at 10:19 PM, Terry Sweetser <terry+mikrotik@skymesh.net.au> wrote:
Hello Mikrotikians!
Just wondering what ideas and implementations people have tried to detect and block packet floods and other DOS attacks?
I'm currently running 6.33 on X86 hardware and have a non-production box trying a simple PPS rate firewall filter to auto-build a list of target addresses and drop inbound traffic to the list (with a 2h expire time.)
I want to go further and push the list to BGP as /32 blackhole routes to my iBGP and also upstream to the likes of VOCUS who support /32 black holing.
This is also on top of a general purpose filter which is looking for invalid TCP flag combinations to just drop outright.
Frustratingly, the last few DDOS attacks inbound to AS7477 have been TCP SYN/RST at high packet rates, but barely past 25Mbps of payload -- router/os has proven very susceptible to high PPS hitting a single queue (HTB and simple for 1 ip address and/or sub-interface) and turning into a turtle.
-- http://about.me/terry.sweetser
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Take a look at https://github.com/pavel-odintsov/fastnetmon
+1. Pavel does a great job of supporting his code and also adding new features :-) I've only used in conjunction with flows from Cisco and Juniper gear, but others have used with flows from RouterOS. Hopefully adding netflow (with sufficient sampling to be useful) doesn't cause more CPU load and make the turtle worse. Cheers, Joseph
Netflow can be quite heavy on RouterOS, so as Joseph mentioned flows with a high enough sampling rate for DDoS protection can cripple your router. If you have decent switches in front of your Mikrotik routers you can mirror/sFlow the Mikrotik ports to your FastNetMon server, which will provide speedy detection without pushing up CPU on your router. On Tue, Mar 29, 2016 at 11:52 PM, Joseph B <josephb@f-m.fm> wrote:
Take a look at https://github.com/pavel-odintsov/fastnetmon
+1.
Pavel does a great job of supporting his code and also adding new features :-)
I've only used in conjunction with flows from Cisco and Juniper gear, but others have used with flows from RouterOS.
Hopefully adding netflow (with sufficient sampling to be useful) doesn't cause more CPU load and make the turtle worse.
Cheers,
Joseph
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Sounds cool. Is this all in the ROS world. Would you publish the script ? I would be interested A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Terry Sweetser Sent: Tuesday, 29 March 2016 8:20 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] DDoS Mitigation? Hello Mikrotikians! Just wondering what ideas and implementations people have tried to detect and block packet floods and other DOS attacks? I'm currently running 6.33 on X86 hardware and have a non-production box trying a simple PPS rate firewall filter to auto-build a list of target addresses and drop inbound traffic to the list (with a 2h expire time.) I want to go further and push the list to BGP as /32 blackhole routes to my iBGP and also upstream to the likes of VOCUS who support /32 black holing. This is also on top of a general purpose filter which is looking for invalid TCP flag combinations to just drop outright. Frustratingly, the last few DDOS attacks inbound to AS7477 have been TCP SYN/RST at high packet rates, but barely past 25Mbps of payload -- router/os has proven very susceptible to high PPS hitting a single queue (HTB and simple for 1 ip address and/or sub-interface) and turning into a turtle. -- http://about.me/terry.sweetser _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Alex, This is what I'm currently testing:
/ip firewall filter add action=return chain=ddos-processor dst-limit=8000,2000,dst-address/5s add action=add-dst-to-address-list address-list=ddos-block address-list-timeout=2h chain=ddos-processor log=yes log-prefix=DDOS add action=jump chain=forward connection-state=new jump-target=ddos-processor add action=drop chain=forward dst-address-list=ddos-block add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,syn add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,rst add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,!ack add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,urg add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=syn,rst add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=rst,urg add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp src-port=0 add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" dst-port=0 protocol=tcp add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=udp src-port=0 add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" dst-port=0 protocol=udp
I'm also working on a scheduler script to add a BGP advertisement of the /32, with a set of community strings that would black hole the /32. http://about.me/terry.sweetser On 30/03/16 08:10, Alex Samad - Yieldbroker wrote:
Sounds cool. Is this all in the ROS world.
Would you publish the script ? I would be interested
A
Hi Terry, Have you tried adding a permit established at the top of the rules to help you reduce the number of rules to work through for the majority of your traffic? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Terry Sweetser (SkyMesh) Sent: Wednesday, March 30, 2016 9:53 AM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] DDoS Mitigation? Hi Alex, This is what I'm currently testing:
/ip firewall filter add action=return chain=ddos-processor dst-limit=8000,2000,dst-address/5s add action=add-dst-to-address-list address-list=ddos-block address-list-timeout=2h chain=ddos-processor log=yes log-prefix=DDOS add action=jump chain=forward connection-state=new jump-target=ddos-processor add action=drop chain=forward dst-address-list=ddos-block add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,syn add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,rst add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,!ack add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=fin,urg add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=syn,rst add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp tcp-flags=rst,urg add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=tcp src-port=0 add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" dst-port=0 protocol=tcp add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" protocol=udp src-port=0 add action=drop chain=forward comment="invalid tcp flags and port 0 attacks" dst-port=0 protocol=udp
I'm also working on a scheduler script to add a BGP advertisement of the /32, with a set of community strings that would black hole the /32. http://about.me/terry.sweetser On 30/03/16 08:10, Alex Samad - Yieldbroker wrote:
Sounds cool. Is this all in the ROS world.
Would you publish the script ? I would be interested
A
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Stavros! I'd prefer to not to --- I have BGP load balancing in place and no way of sharing CT between 2 Router/OS machines. http://about.me/terry.sweetser On 30/03/16 10:58, Stavros Patiniotis wrote:
Hi Terry,
Have you tried adding a permit established at the top of the rules to help you reduce the number of rules to work through for the majority of your traffic?
We have 2 BGP routers and use In the forward <some special rules> then # Apply ICMP filter add chain=forward protocol=icmp action=jump comment="filter icmp" jump-target=ICMPFILTER add chain=forward comment="Allow ICMP" limit=50,100 protocol=icmp disabled=yes # Related add chain=forward comment="Allow Established connections" connection-state=established add chain=forward comment="Allow Related connections" connection-state=related # for asym traffic add chain=forward comment="allow SYN,ack tcp traffic" protocol=tcp tcp-flags=syn,ack add chain=forward comment="allow non SYN tcp traffic" protocol=tcp tcp-flags=!syn Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Terry Sweetser (SkyMesh) Sent: Wednesday, 30 March 2016 12:37 PM To: Stavros Patiniotis <stavros@staff.esc.net.au>; 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] DDoS Mitigation? Hi Stavros! I'd prefer to not to --- I have BGP load balancing in place and no way of sharing CT between 2 Router/OS machines. http://about.me/terry.sweetser On 30/03/16 10:58, Stavros Patiniotis wrote:
Hi Terry,
Have you tried adding a permit established at the top of the rules to help you reduce the number of rules to work through for the majority of your traffic?
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Looking at software out of the box, I think the best I ever came across from a price/feature viewpoint was WanGuard. https://www.andrisoft.com/software/wanguard I could sit here and explain all the things it can/can’t do but better for you to have a read yourself and make your own call on it. Daniel On 30/03/2016, 1:46 PM, "Public on behalf of Alex Samad - Yieldbroker" <public-bounces@talk.mikrotik.com.au on behalf of Alex.Samad@yieldbroker.com> wrote:
We have 2 BGP routers and use
In the forward <some special rules> then
# Apply ICMP filter add chain=forward protocol=icmp action=jump comment="filter icmp" jump-target=ICMPFILTER add chain=forward comment="Allow ICMP" limit=50,100 protocol=icmp disabled=yes
# Related add chain=forward comment="Allow Established connections" connection-state=established add chain=forward comment="Allow Related connections" connection-state=related
# for asym traffic add chain=forward comment="allow SYN,ack tcp traffic" protocol=tcp tcp-flags=syn,ack add chain=forward comment="allow non SYN tcp traffic" protocol=tcp tcp-flags=!syn
Alex
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Terry Sweetser (SkyMesh) Sent: Wednesday, 30 March 2016 12:37 PM To: Stavros Patiniotis <stavros@staff.esc.net.au>; 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] DDoS Mitigation?
Hi Stavros!
I'd prefer to not to --- I have BGP load balancing in place and no way of sharing CT between 2 Router/OS machines.
http://about.me/terry.sweetser
On 30/03/16 10:58, Stavros Patiniotis wrote:
Hi Terry,
Have you tried adding a permit established at the top of the rules to help you reduce the number of rules to work through for the majority of your traffic?
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (7)
-
Alex Samad - Yieldbroker
-
Andrew Thrift
-
Daniel Hoffman - Sliced Tech
-
Joseph B
-
Stavros Patiniotis
-
Terry Sweetser
-
Terry Sweetser (SkyMesh)