Community discussions

MikroTik App
 
miklover
just joined
Topic Author
Posts: 4
Joined: Wed Dec 12, 2012 10:57 am

smart protection

Mon May 13, 2013 1:35 pm

Hi there,

I faced a challenge to set up a working filter set (firewall) in a RouterOS device so to protect internal WebService infrastructure in a smart and intelligent fashion. The setup is as follows: We have an internal WebService behind RB1100AHx2 version 5.25, which provides sensitive information like prices and discounts of items and products to external requests. The problem is that such services are regularly exploited by sending a lot of requests and big batch queries which are capable of drawing valuable information from the internal database or cause complete failure of the serving system (DoS in our case the WebService). What is to my mind is first limiting the requests per second or minute to the WebService, second I need to limit the maximum amount of data drawn and requested per second/minute to avoid downloading more info than "normally" is necessary, also I need to limit the maximum connections from one IP to the WebService, and last but not the least I have to count up the bytes transferred (I/O) to requesting clients so to cool down a bit the "heavy" users. Any other best practices in this context are most welcome.

Any suggestions and guidance will be greatly appreciated!
 
barkas
Member Candidate
Member Candidate
Posts: 260
Joined: Sun Sep 25, 2011 10:51 pm

AW: smart protection

Tue May 14, 2013 9:59 am

I don't think mikrotik is the device for that.

Gesendet von meinem XT890 mit Tapatalk 2
 
miklover
just joined
Topic Author
Posts: 4
Joined: Wed Dec 12, 2012 10:57 am

Re: AW: smart protection

Tue May 14, 2013 12:30 pm

I don't think mikrotik is the device for that.

Gesendet von meinem XT890 mit Tapatalk 2
You are right to big extent. However, I am not trying to replace some super-dooper expensive Web Application firewall with Mikrotik device which serves different purpose in a brilliant way, but only to take advantage of the advanced features in the filter settings which I believe could do quite a good job. Frankly, my problem is that not all options are pretty clear to me and want to know only those that would solve my case without going through all the "trial and error" process.

Thanks for the answer.
 
SwissWISP
Member Candidate
Member Candidate
Posts: 186
Joined: Fri Sep 23, 2011 12:16 pm

Re: smart protection

Tue May 14, 2013 12:44 pm

To limit the connections per IP, you could use the "Connection Limit" feature in the firewall.
 
Feklar
Forum Guru
Forum Guru
Posts: 1724
Joined: Tue Dec 01, 2009 11:46 pm

Re: smart protection

Tue May 14, 2013 7:28 pm

You could play around with the connection values in the firewall filter. It would require experimentation to figure out what works best and will fit the needs.

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
connection-bytes (integer-integer; Default: ) Matches packets only if a given amount of bytes has been transfered through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection

connection-limit (integer,netmask; Default: ) Restrict connection limit per address or address block

connection-rate (Integer 0..4294967295; Default: ) Connection Rate is a firewall matcher that allow to capture traffic based on present speed of the connection.

dst-limit (integer,time,integer,dst-address | dst-port | src-address, time; Default: ) Matches packets within given pps limit. As opposed to the limit matcher, every destination IP address / destination port has it's own limit. Parameters are written in following format: count,time,burst,mode,expire.

count - maximum average packet rate measured in packets per time interval
time - specifies the time interval in which the packet rate is measured
burst - number of packets which are not counted by packet rate
mode - the classifier for packet rate limiting
expire - specifies interval after which recored ip address /port will be deleted
 
coffeecoco
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Oct 12, 2005 1:17 pm

Re: smart protection

Wed May 15, 2013 10:56 am

you can get alot of smarts in radius IE radiusmanager can control burst monthly usage logs the usage
go down that track

set the other fiddly bits on the ros probly gobally
 
miklover
just joined
Topic Author
Posts: 4
Joined: Wed Dec 12, 2012 10:57 am

Re: smart protection

Wed May 15, 2013 8:06 pm

Thank you very much, guys, for shedding some light on this complicated subject and for the priceless ideas. Really appreciate it !

Who is online

Users browsing this forum: loloski and 24 guests