I am new in this forum but i have a big problem. I work for a company and we have different websites hosted and o ther services.
I own a RB1100 ahx2 . In last week we have suffered a big ddos attack which was type of dns amplification attack.It consumed all by 30MB bandwidth and also my isp bandwidth. It was 1-2GB/s attack. After this i am beeing ddosed from all over the world on my webpage. I have tried all online solution for mikrotik to stop this ddos but cant. I have >10000 Unreplied connections even i have drop invalid packets. I have already configured syn flood attack defense,ddos attack defense on my firewall but still they are able to make my site "service unavaiable".
My setup is in short
2 WANS- 1LAN
All my servers are reachable from both wans.
I f anyone can help me with a complete bulletproff firewall i will be very thankfull.Im going crazy in last week.
my pubblic ip which is being ddosed is replaced with wan1
I have exported from terminal its a bit mesy and some rules are dissabled and comments are wrong because i have been experimenting a lot these nights,
Code: Select all
0 X ;;; Block dns
chain=input action=drop protocol=udp src-address-list=!DNS Server
dst-port=53
1 X chain=input action=jump jump-target=syn-flood protocol=tcp
dst-address=wan1
2 X chain=syn-flood action=accept connection-limit=32,32
3 X chain=syn-flood action=add-src-to-address-list tcp-flags="" protocol=tcp
src-address-list=!LAN address-list=Dos_flood address-list-timeout=1d30m
4 X chain=input action=drop protocol=tcp dst-address=wan1
src-address-list=Dos_flood dst-port=80
5 X chain=forward action=drop protocol=tcp dst-address=wan1
src-address-list=invalid dst-port=80
6 X chain=input action=drop protocol=tcp dst-address=wan1
src-address-list=Dos_flood dst-port=80
7 X chain=forward action=reject reject-with=icmp-network-unreachable
connection-state=invalid protocol=tcp src-address=192.168.1.235
src-port=80
8 X ;;; Block dns
chain=input action=drop protocol=tcp dst-address=wan1
src-address-list=ddoser2 dst-port=80
9 X ;;; Block dns
chain=input action=jump jump-target=block-ddos2 connection-state=new
dst-address=wan1 in-interface=Itiran 2
10 X ;;; Block dns
chain=block-ddos2 action=return connection-state=new limit=10,10
11 X ;;; Block dns
chain=block-ddos2 action=return src-address-list=LAN
12 X ;;; Block dns
chain=block-ddos2 action=add-src-to-address-list address-list=ddoser2
address-list-timeout=40m
13 X ;;; Block dns
chain=input action=add-src-to-address-list tcp-flags=syn protocol=tcp
address-list=Dos_flood address-list-timeout=30m in-interface=Itiran 2
connection-limit=100,32
14 X ;;; Block dns
chain=input action=drop src-address-list=Dos_flood in-interface=Itiran 2
15 X ;;; Bllokuar
chain=input action=jump jump-target=block-ddos tcp-flags=syn
connection-state=new protocol=tcp dst-port=80
16 X chain=input action=drop dst-address=wan1 src-address-list=ddoser
17 X chain=forward action=drop dst-address=wan1
src-address-list=ddoser
18 X chain=block-ddos action=return connection-state=new protocol=tcp
connection-limit=10,32
19 X chain=block-ddos action=return src-address-list=LAN
dst-limit=50,50,src-and-dst-addresses/1m40s
20 X chain=block-ddos action=add-dst-to-address-list address-list=ddosed
address-list-timeout=10h10m
21 X chain=block-ddos action=add-src-to-address-list address-list=ddoser
address-list-timeout=10h10m
22 chain=input action=drop connection-state=invalid
23 chain=input action=accept connection-state=established
24 chain=input action=accept connection-state=related
25 ;;; Accept Established
chain=forward action=drop connection-state=invalid
26 ;;; Block dns
chain=input action=add-src-to-address-list tcp-flags=syn
connection-state=new protocol=tcp address-list=blocksyn
address-list-timeout=30m connection-limit=5,24
27 ;;; Block dns
chain=input action=drop src-address-list=blocksyn
28 ;;; Block dns
chain=input action=tarpit protocol=tcp src-address-list=Black
29 ;;; Block dns
chain=input action=add-src-to-address-list protocol=tcp
address-list=Black address-list-timeout=23h30m connection-limit=10,32
30 ;;; Accept Established
chain=forward action=accept connection-state=established
31 ;;; Accept Related
chain=forward action=accept connection-state=related
32 ;;; Block dns
chain=input action=drop protocol=udp in-interface=Itiran 2 dst-port=53
33 ;;; Block dns
chain=input action=reject reject-with=icmp-network-unreachable
protocol=udp in-interface=Itiran 2 dst-port=80
34 ;;; Block dns
chain=input action=drop protocol=tcp in-interface=Itiran 2 dst-port=53
35 ;;; Block dns
chain=input action=drop protocol=udp in-interface=Primo dst-port=53
36 ;;; Block dns
chain=input action=drop protocol=tcp in-interface=Primo dst-port=53
37 X ;;; Block dns
chain=forward action=drop protocol=udp src-address-list=!Internet
dst-address-list=!DNS Server dst-port=53
38 X ;;; Block dns
chain=input action=drop protocol=udp src-address=23.0.0.0/8 dst-port=53
39 ;;; Reject Spammer
chain=forward action=drop protocol=tcp src-address-list=spammer
dst-port=25
40 ;;; Block dns
chain=input action=drop protocol=udp src-address-list=!DNS Server
in-interface=Itiran 2 src-port=53
41 ;;; Block dns
chain=forward action=drop protocol=udp dst-address-list=!DNS Server
out-interface=Itiran 2 dst-port=53
42 ;;; Conficker
chain=forward action=drop protocol=udp dst-port=135
43 ;;; Conficker
chain=forward action=drop protocol=tcp dst-port=135
44 ;;; Conficker
chain=forward action=drop protocol=tcp dst-port=4691
45 ;;; Conficker
chain=forward action=drop protocol=tcp dst-port=445
46 ;;; Conficker
chain=forward action=drop protocol=tcp dst-port=5933
47 ;;; Conficker
chain=forward action=drop protocol=tcp dst-port=139
48 ;;; Conficker
chain=forward action=drop protocol=udp dst-port=445
49 ;;; Conficker
chain=forward action=drop protocol=udp dst-port=138
50 ;;; Conficker
chain=forward action=drop protocol=udp dst-port=137
51 ;;; Detect SMTP virus spammer
chain=forward action=add-src-to-address-list protocol=tcp
src-address=!192.168.1.198 address-list=spammer address-list-timeout=1d
in-interface=LAN dst-port=25
52 X ;;; Bllokuar - Baste live
chain=forward action=drop protocol=tcp content=lottoalbania
53 X ;;; Baste live
chain=forward action=log protocol=tcp src-address=46.183.120.1
dst-port=23232 log-prefix="kom6"
54 X ;;; Baste live
chain=forward action=log src-address=192.168.1.194 out-interface=!LAN
log-prefix="xxxxxx"
55 X ;;; Detect SMTP virus spammer
chain=forward action=accept out-interface=ITIRANA
56 X ;;; Detect SMTP virus spammer
chain=forward action=accept out-interface=Primo
57 X ;;; Detect SMTP virus spammer
chain=forward action=drop
58 X ;;; Detect SMTP virus spammer
chain=forward action=log protocol=tcp src-address=192.168.1.83
log-prefix="VVVVVVV"
59 X ;;; Detect SMTP virus spammer
chain=forward action=log dst-address=192.168.1.253 log-prefix="aaaaaa"
60 X chain=forward action=drop protocol=tcp src-address=192.168.1.65
content=youtube
61 ;;; Hapur - Reject Spammer
chain=forward action=drop protocol=tcp src-address-list=Dos_flood
62 X ;;; Bllokuar - Reject Spammer
chain=forward action=drop protocol=udp src-address=188.138.96.47
dst-port=5060
63 X chain=forward action=log protocol=tcp in-interface=LAN dst-port=25
log-prefix="email"
64 ;;; fb
chain=forward action=drop protocol=tcp src-address-list=!Perjashtime
layer7-protocol=fb dst-port=80
65 ;;; fb
chain=forward action=drop protocol=tcp src-address-list=!Perjashtime
dst-address-list=fejsbuk
66 X ;;; Bllokuar - Ultra Surf Servers
chain=input action=drop protocol=tcp dst-address=91.210.138.162
src-address-list=UltraSurfServers in-interface=ITIRANA
67 X chain=input action=drop protocol=tcp dst-address=213.207.45.34
src-address-list=UltraSurfServers in-interface=Primo
68 X chain=output action=drop protocol=tcp src-address=91.210.138.162
dst-address-list=UltraSurfServers out-interface=ITIRANA
69 X chain=output action=drop protocol=tcp src-address=213.207.45.34
dst-address-list=UltraSurfServers out-interface=Primo
70 X ;;; ultrasurf
chain=forward action=drop protocol=tcp src-address-list=UltraSurfUsers
71 X ;;; drop proxy
chain=forward action=drop protocol=tcp src-address-list=UltraSurfUsers
dst-address-list=UltraSurfProxies
72 ;;; Drop FTP
chain=input action=drop protocol=tcp src-address-list=!LAN dst-port=21
73 ;;; Drop SSH
chain=input action=drop protocol=tcp src-address-list=!LAN dst-port=22
74 ;;; Drop Telnet
chain=input action=drop protocol=tcp src-address-list=!LAN dst-port=23
75 ;;; Shto FTP Src
chain=input action=add-src-to-address-list protocol=tcp
src-address-list=!LAN address-list=ftp_blacklist address-list-timeout=2d
dst-port=21
76 ;;; Shto SSH Src
chain=input action=add-src-to-address-list protocol=tcp
src-address-list=!LAN address-list=ssh_blacklist address-list-timeout=2d
dst-port=22
77 ;;; Shto telnet Src
chain=input action=add-src-to-address-list protocol=tcp
src-address-list=!LAN address-list=telnet_blacklist
address-list-timeout=2d dst-port=23
78 ;;; Hapur - Port scanners list
chain=forward action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
src-address-list=!LAN address-list=port_scanners address-list-timeout=2d
79 ;;; NMAP FIN Stealth Scan
chain=forward action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
src-address-list=!LAN address-list=port_scanners address-list-timeout=2w
80 ;;; FIN/PSH/URG scan
chain=forward action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp src-address-list=!LAN
address-list=port_scanners address-list-timeout=2w
81 ;;; NMAP NULL Scan
chain=forward action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
src-address-list=!LAN address-list=port_scanners address-list-timeout=2w
82 ;;; Drop Dos list
chain=input action=tarpit protocol=tcp src-address-list=Dos_flood
connection-limit=3,32
83 ;;; Shto Dos Host
chain=input action=add-src-to-address-list protocol=tcp
src-address-list=!LAN address-list=Dos_flood address-list-timeout=1d
connection-limit=200,32
84 ;;; Drop Port scaners
chain=forward action=drop src-address-list=port_scanners
85 ;;; Drop Viruses
chain=forward action=drop protocol=tcp dst-port=135-139
86 chain=forward action=drop protocol=udp dst-port=135-139
87 chain=forward action=drop protocol=tcp dst-port=444
88 chain=forward action=drop protocol=udp dst-port=444
89 chain=forward action=drop protocol=tcp dst-port=996-999
90 chain=forward action=drop protocol=udp dst-port=996-999
91 chain=forward action=drop protocol=tcp dst-port=3127
92 chain=forward action=drop protocol=tcp dst-port=3129-3149
93 chain=forward action=drop protocol=udp dst-port=3127-3149
94 chain=forward action=drop protocol=tcp dst-port=445
95 chain=forward action=drop protocol=udp dst-port=445
96 chain=forward action=drop protocol=tcp dst-port=1434
97 chain=forward action=drop protocol=udp dst-port=1434
98 chain=forward action=drop protocol=tcp dst-port=113
99 chain=forward action=drop protocol=udp dst-port=80
100 ;;; conficker A/B
chain=input action=drop protocol=tcp layer7-protocol=conficker A
dst-port=80
101 chain=input action=drop protocol=tcp layer7-protocol=conficker B
dst-port=80
102 ;;; conficker A/B
101 chain=input action=drop protocol=tcp layer7-protocol=conficker B
dst-port=80
102 ;;; conficker A/B
chain=forward action=drop protocol=tcp layer7-protocol=conficker A
dst-port=80
103 chain=forward action=drop protocol=tcp layer7-protocol=conficker B
dst-port=80
104 ;;; NetBEUI
chain=forward action=drop protocol=tcp dst-port=445
105 chain=forward action=drop protocol=udp dst-port=137-139
106 chain=input action=drop protocol=udp layer7-protocol=conficker A
dst-port=137-139
107 chain=input action=drop protocol=udp layer7-protocol=conficker B
dst-port=137-139
108 ;;; conficker A/B
chain=output action=drop protocol=tcp layer7-protocol=conficker A
dst-port=80
109 chain=output action=drop protocol=tcp layer7-protocol=conficker B
dst-port=80
-- [Q quit|D dump|up]
