Hi,
I'm currently using the following in my router CCR2004 (using RoS 7.3.1);
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
I'm noticing that every time ppl use Telegram on their phones, after a couple of messages the Mikrotik thinks it's being DDoS. Anybody else experiencing this? FYI, I've already added Telegram IPs into a list and mangle queues but it still happens:
/ip firewall address-list
add address=telegram.org list=Telegram-IP
add address=api.telegram.org list=Telegram-IP
add address=core.telegram.org list=Telegram-IP
add address=web.telegram.org list=Telegram-IP
add address=t.me list=Telegram-IP
add address=telesco.pe list=Telegram-IP
add address=91.108.4.0/22 list=Telegram-IP
add address=91.108.8.0/22 list=Telegram-IP
add address=91.108.56.0/22 list=Telegram-IP
add address=95.161.64.0/20 list=Telegram-IP
add address=149.154.160.0/22 list=Telegram-IP
add address=149.154.164.0/22 list=Telegram-IP
Really appreciate any suggestions.
Re: Telegram triggers DDOS? [SOLVED]
First of all, I don't understand why blindly apply these rules with copy and paste.
Second: So why is a attacker free to attack another IP before being blocked again, just for the other IP only, and so on?
Third, the "drop" of attack must be done on firewall / raw and not on firewall / filter.
If the attack is free to pass raw, consume more CPU resources.
Fourth, if the IP is a source on DDoS attack, why leave it free to attack again after 10min? (or, already wroted, attack another IP)?
Fifth, if the source IP is spoofed, probably you gor first out-of-memory on routerboard, or all is extremely slowed, or legit spoofed IP can go on block list,
and you are K.O., not for directly the DDoS, but for your well copyed-and-pasted rules...
And for reply to the question, simply add src-address-list=!Telegram-IP (or better create a "skip-DDoS-IPs" list and add false positive here) to FIRST rule.
(but for Telegram IP range, I doubt that have only that addresses)
Second: So why is a attacker free to attack another IP before being blocked again, just for the other IP only, and so on?
Third, the "drop" of attack must be done on firewall / raw and not on firewall / filter.
If the attack is free to pass raw, consume more CPU resources.
Fourth, if the IP is a source on DDoS attack, why leave it free to attack again after 10min? (or, already wroted, attack another IP)?
Fifth, if the source IP is spoofed, probably you gor first out-of-memory on routerboard, or all is extremely slowed, or legit spoofed IP can go on block list,
and you are K.O., not for directly the DDoS, but for your well copyed-and-pasted rules...
And for reply to the question, simply add src-address-list=!Telegram-IP (or better create a "skip-DDoS-IPs" list and add false positive here) to FIRST rule.
(but for Telegram IP range, I doubt that have only that addresses)