mikrotik, block flood syn sent dan ddos
rianto utomo bole nyontek dari
https://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
ddos protek
DDoS Detection and Blocking
This is the way to prevent (D)DoS Attack from your users to attacked resources, and drop (D)DoS directed to your clients.
First, we catch all new connections and send them to dedicated firewall chain:
/ip firewall filter add chain=forward connection-state=new action=jump jump-target=detect-ddos
Note: In RouterOS, any single UDP packet is considered to be new connection by Connection Tracking in any Firewall section (except NAT) until the packet in opposite direction is sent. It’s good behaviour, because legitimate traffic (like uTorrent’s or Skype’s UDP stream) is bidirectional, so it triggers ‘connection-state=new’ only once per stream; on the other side, any unidirectional flooding (the only exception I can imagine is NetFlow traffic) generates ‘connection-state=new’ per each packet even if all packets have the same Src and Dst Addresses and Ports, so it can be easily detected as DoS Attack.
Then, for each “SrcIP:DstIP” pair we allow some number of new connections. One may want also add some exceptions (like DNS servers – it won’t be good if they will be blocked):
/ip firewall filter add chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s action=return add chain=detect-ddos src-address=192.168.0.1 action=return
Note: At least up to version 5.6, ‘dst-limit’ matcher has two bugs:
- ‘Expire’ value is 10 times lower than you set; so ’10s’ is actually 1 second
- ‘dst-limit’ matches first ‘Burst’ packets (as it should be) plus one, and then skips packets for the first second; so if you have Rate set to 32 and Burst set to 0, and you start to flood packets, the rule will match 1 packet, and on 2nd packet it won’t match until 1sec passes – that’s why you need ‘Burst’ value at least as high as ‘Rate’ value
Now, we have only packets which exceed our limits – and we add their source to ‘ddoser’ and the target to ‘ddosed’ address lists:
/ip firewall filter add chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m add chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
Then packet processing returns to ‘forward’ chain, where we block any packets from ddosers to ddosed resources:
/ip firewall filter add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
syn flood protek
3. Land/Lattiera.
Serangan yang dilakukan oleh Attackers dengan mengirimkan paket SYN, yang memiliki alamat port/source yang sama dengan objek target.
Penangkalnya, lakukan hal yang sama pada cara menangkal SYN-FLOOD, hanya saja disini ditambahkan “chain forward” akses SYN, yang mana dibelokkan (jump) ke “chain SYN-Protect”. Sehingga rule-nya menjadi seperti berikut:
/ip firewall filter
add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment=”Flood protect” disabled=no
add chain=input protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment=”” disabled=no
add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment=”” disabled=no
add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment=”” disabled=no
rianto isaac's Weblog 