Hi i have CCR1036 and my router cant stay under attack and reboot when one of my ips recive about for example 10-50mbit bandwitdh Ddos mean on one ip connect to many connection and packet then my mikrotik reboot or full Cpu and cant access it i need a way to fix this i dont know why this hardware should down under 10-50mbit ddos.

And is any way to detect hping3 ddos?

Thanks

Look at Profile!! Which service is using resources! There is no way that your CCR struck on 10-15Mbps! Impossible! It can handle lot more!! Try newest version! Seems like a bug or hardware problem to me!
Make fillter in firewall - limit connections to one IP! Search for - prevent DDOS in this forum - plenty info for that!

Does your log show this command on profiles?

If your router can't stand up to a simple packet flood then you probably have too many complex firewall rules.

Look at Profile!! Which service is using resources! There is no way that your CCR struck on 10-15Mbps! Impossible! It can handle lot more!! Try newest version! Seems like a bug or hardware problem to me!
Make fillter in firewall - limit connections to one IP! Search for - prevent DDOS in this forum - plenty info for that!

profile show firewall use 100% cpu and restart my router
i have block my ip with recive ddos see packets

Does your log show this command on profiles?

Code: Select all

hping3 --flood <ip>

no i didnt see this on my logs

If your router can't stand up to a simple packet flood then you probably have too many complex firewall rules.

I just have a two firewall rules, one block icmp and other block one ip on my network

are you allowing remote dns requests

are you allowing remote dns requests

no i didnt allow it

You need to remember that the default action for MikroTik firewall is Accept. If you do not put a Drop All rule at the bottom of each firewall chain, your router will Accept all packets that hit that chain. This is a HUGE oversight from MikroTik in terms of security, but easily correctable. You need to explicitly allow traffic that you want and Drop everything else.

You need to remember that the default action for MikroTik firewall is Accept. If you do not put a Drop All rule at the bottom of each firewall chain, your router will Accept all packets that hit that chain. This is a HUGE oversight from MikroTik in terms of security, but easily correctable. You need to explicitly allow traffic that you want and Drop everything else.

i cant do this i have many users on this network and i cant allow one of my trafik and drop others

Mpreissner isn't suggesting that, but by denying "new" connections on WAN's input chain, for example, will save you a world of pain. If you allow the WAN port to reply to dns requests, you're vulnerable.

Sent from my cell phone via Tapatalk. Sorry for the errors.

I agree protecting your router from input attacks directly to the router is important.