how to block kama sutra?

Hellbound · Fri Feb 03, 2006 9:01 am

hi guys
it seems that my network connection tracking is few thousands which is weird from IPs doesn't exist on network to the server and it is slowing the server badly

thanks

Fri Feb 03, 2006 9:20 am

make allowed IP list, block everything else, make firewall rule that allows only like 20 connections from each IP.

Hellbound · Fri Feb 03, 2006 9:33 am

thanks for the fast reply
any firewall rule sample please?

Fri Feb 03, 2006 9:36 am

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=10,32 action=drop

this will limit each IP to 10 connections

http://www.mikrotik.com/docs/ros/2.9/ip ... t#6.38.3.1

there are some other examples

n5ltc · Fri Feb 03, 2006 6:01 pm

In general, is it good to limit the number of connections from one IP to a certain amount? I know some http sites create multiple connections at one time. Is there a good number to use? We have had issues with maybe a hundred connections at a time being generated by customers who happen to get infected with something and it affects our overall wireless network operation.

Hugh Hartman · Fri Feb 03, 2006 6:31 pm

I use 80 without complaints, but started at 100 connections per/IP.

n5ltc · Fri Feb 03, 2006 6:57 pm

Does this work the same in pre 2.9 versions?

Hugh Hartman · Fri Feb 03, 2006 7:10 pm

in v 2.8.28 this is the rule I use:

/ip firewall rule forward add protocol=tcp tcp-options=syn-only connection-limit=80 action=drop

n5ltc · Fri Feb 03, 2006 7:16 pm

Ok.. Just attempted this on a router. Here is the network topology on this particular network segment:

weeds --> narnia --> core router

On the narnia router, I have 6 ethernet ports. If I apply the rule above, is it not going to restrict to x number of connections the interface that has the backhaul to the weeds site thus slowing that site down when it exceeds the x number of connections set in the rule? I am running PPPoE on weeds and narnia so I can't just restrict the rule to a specific interface that an AP sits on because then the PPPoE interfaces won't get restricted and usually it is those customers that cause us problems. I could add <not weeds backhual> to the rule but my link to the core router is also going to get restricted to x number of connections. Am I reading this all wrong? Is the rule restricting by interface or by IP?

n5ltc · Fri Feb 03, 2006 7:30 pm

oh wow! Just did this on another router and BOOM, got someone immediately with about 3 or 4 worms/virii on their system.

Hugh Hartman · Fri Feb 03, 2006 7:32 pm

from Eugene in previous threads discussing connection limits:

Every computer can make no more than 80 TCP connections through the router.

I had problems with hundreds of connections,,captured after using this rule and none exceeds the value 80.