By this I assume you mean what is referred to in this post - http://forum.mikrotik.com/viewtopic.php ... 50#p463532 which refer's to this code:Nice. What about to drop in raw table according to the blacklist while an attacking ip address was identified by firewall rules and put on the list?
/ip firewall filter
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=ddosed new-routing-mark=ddoser-route-mark passthrough=no src-address-list=ddoser
/ip route
add distance=1 routing-mark=ddoser-route-mark type=blackhole
While I agree that having lots of "/ip firewall filter" entries will slow your router down (CPU has to go through each rule in sequence), using an address-list should consolidate a lot of blocked IPs into one firewall rule. I believe address-list is implemented as the Linux kernel's IPSET feature for iptables, and so it will work in pretty much the same amount of time even if there are thousands of entries in the list (it's more like a hash-table than a linear list).Firewalling can be bad mmmkay
Firewalling is great and everyone should use it, but try to do this as close to the edge (as close to the customer / server) of your network as possible.
Do not firewall on your border routers (your routers between your network and the internet) unless you absolutely have to (eg: NAT).
When making a decision to firewall, expect there to be a throughput impact in high packet-per-second (pps) attacks.
The more firewall rules you have, the more you affect the throughput.This is because every packet has to be matched against the firewall rules until one condition is met.
100% correct. I'm more illistrating that the moment firewalling is involved in anyway with the border router, it will cause CPU load under attack as all the packets still need to be filtered.While I agree that having lots of "/ip firewall filter" entries will slow your router down (CPU has to go through each rule in sequence), using an address-list should consolidate a lot of blocked IPs into one firewall rule. I believe address-list is implemented as the Linux kernel's IPSET feature for iptables, and so it will work in pretty much the same amount of time even if there are thousands of entries in the list (it's more like a hash-table than a linear list).
Ah yes I see what you mean, I did another test with running the hping3 on a 3 minute test and took a graph from the network switch.No. I do not refer to mangling in prerouting and dropping connection by marks but to direct packet drop in raw firewall table without any other interactions.
Do you not lose fastpath by doing this though?We have no problem blocking traffic at our provider edge using this technique. I gave a talk about this at the UK MUM yesterday, actually. We use an /ip route rule, packet marking in /ip firewall mangle, and an /ip firewall address-list to move abusive traffic away from our customers and to special VMs which are honeypots. However, if you just want to block traffic, it'd be fine to use a filter instead of /ip firewall mangle.
Just to be sure I've tested a few different attack variations with the initial tests being syn flood attacks.Hard data prooves... I have expected better results. Good job.
Yes, but in our use case that isn't something I'm worried about. I need to use an address-list (so lose fastpath) so that I can redirect abusive traffic:Do you not lose fastpath by doing this though?
We had a similar use case on our side, but a slightly different approach (as we don't want to lose fastpath).Yes, but in our use case that isn't something I'm worried about. I need to use an address-list (so lose fastpath) so that I can redirect abusive traffic:Do you not lose fastpath by doing this though?
1) to display a "stop typing your password wrong!" message to customers failing to log themselves in to websites or whatever
2) to direct hacking traffic away from customer servers
3) to take the attack traffic to our honeypot for further analysis so that we can see what things they're scanning for (to make more rules to detect them, etc)
Ah interesting. How does the Wanguard get the traffic in the first place to determine what is an attack? Is it working off NetFlow/IPFIX data? Or is it connected to a mirror port or something?2 & 3 - We do this using Wanguard. It detects the hacking / attack traffic and informs the filter (honeypot in your case) to inject a route into the mikrotik to redirect this traffic to itself where it can be captured for analysis. This is also filtered and the clean traffic can then be injected back into the network.
It supports both Flow Sensors or Packet Sensor. We use the Packet Sensor (create a mirror port on your switch) as it can pick up an attack in less than 1 second.Ah interesting. How does the Wanguard get the traffic in the first place to determine what is an attack? Is it working off NetFlow/IPFIX data? Or is it connected to a mirror port or something?
You can still use these, just have them trigger a script that speaks to the mikrotik API, for example:In our case, our main abuse detection - besides fastnetmon etc - is because the end servers are running some inspection (e.g. mod_security, fail2ban, etc).
Oh, our fail2ban/etc boxes don't have access to the edge routers' API. They send attack information to a process we run which stores IP reputation data, and that decides whether to block addresses at the edge. It does that with an address-list entry, with an appropriate timer. Again, like yours, we block for longer periods of time for longer attacks. And our code expands the blocked range from a /32 gradually up towards a /24 if neighbouring IPs are implicated or are attacking other hosts in our network.You can still use these, just have them trigger a script that speaks to the mikrotik API, for example:
# /usr/bin/blackhole.php <attacker ip> <time>
It calls the mikrotik api and stores this in a db or flat file.
then have a cron that runs every minute that looks in the db / flat file for items which are "expired" and calls a script to remove the blackhole from the CCR.
Two different people debating different approaches.Can you please share the code for this source based blackhole? From above I can see that I have to packet mark so filter is still involved?!
For the mikrotik, enable RP Filter under IP => Settings (set to loose)Can you please share the code for this source based blackhole? From above I can see that I have to packet mark so filter is still involved?!
/ip route
add distance=1 dst-address=<source address> type=blackhole
With RP Filter set to loose it should. Loose RP Filter checks the packet and forwards it if there is a route entry for the source IP of the incoming packet in the router FIB. This includes a default route or any route you have learned via BGP. If however an entry for the source ip points to blackhole, the Reverse Path Forwarding (RPF) check fails, and the packet is dropped.I think the last question I have about this for Murmaider is:
Will your RP-based blackhole approach work where there are multiple valid routes (learned by BGP) to external addresses, but only one is "active" in the RouterOS routing table?
Ahhhh, that's the bit I didn't grok. I'd only ever encountered reverse path filtering in a strict sense as part of a poor-man's BCP38. Ok, that's interesting.With RP Filter set to loose it should.
Oh, so is there an easy way to do this for all IPs in a address-list without using mangle/filter/etc before?Source address can be an individual ip or a network range.
To use the address list, the interface has to accept the packet first in order to mangle it (by using the firewall).Oh, so is there an easy way to do this for all IPs in a address-list without using mangle/filter/etc before?Source address can be an individual ip or a network range.
/ip route
add distance=1 dst-address=192.168.1.10 type=blackhole
/ip route
add distance=1 dst-address=192.168.1.0/24 type=blackhole
When this is so efficient then it is may interesting to transparent for the users to use a different screen to input this. Since short we have the RAW option that should be more efficient but is not that much of a difference.
So a user could enter this in the RAW section and an added "action" would be "blackhole" and when "blackhole" is selected then a route is added to the routing lines.
When a RAW line is changed, with action "blackhole", the route is changed accordingly. If a change is so that setting that routing is not a solution any more then the line in routing is removed and only the RAW rule will be present and used this will also be the case if the cation is changed to something else than "blackhole".
Now the problem is when a user is going to edit directly in the routing section which interferes with the settings in RAW. Proposal is that the routing line is show in routing but can't be changed in any way on the routing page. The comment is beginning with "RAW filter: " followed by the found text that the user has entered or not in the RAW section. It would also be preferable that the letters in that line is not black but gray to indicate a deferred rule.
That would be a wet dream and maybe start a bit more down to earth and have a list supplied by IntrusDave: http://forum.mikrotik.com/viewtopic.php?f=9&t=98804When this is so efficient then it is may interesting to transparent for the users to use a different screen to input this. Since short we have the RAW option that should be more efficient but is not that much of a difference.
.
.
.....the problem is when a user is going to edit directly in the routing section which interferes with the settings in RAW. Proposal is that the routing line is show in routing but can't be changed in any way on the routing page. The comment is beginning with "RAW filter: " followed by the found text that the user has entered or not in the RAW section. It would also be preferable that the letters in that line is not black but gray to indicate a deferred rule.
You could simplify this by setting up a box running exabgp or quagga and have a BGP connection to the mikrotik(s).
setup a BGP community of say 666:666 and set the type to blackhole.
Then you can push these blackhole routes or retract them from all your border/edge routers from a central point.
When this is so efficient then it is may interesting to transparent for the users to use a different screen to input this. Since short we have the RAW option that should be more efficient but is not that much of a difference.
So a user could enter this in the RAW section and an added "action" would be "blackhole" and when "blackhole" is selected then a route is added to the routing lines.
When a RAW line is changed, with action "blackhole", the route is changed accordingly. If a change is so that setting that routing is not a solution any more then the line in routing is removed and only the RAW rule will be present and used this will also be the case if the cation is changed to something else than "blackhole".
Now the problem is when a user is going to edit directly in the routing section which interferes with the settings in RAW. Proposal is that the routing line is show in routing but can't be changed in any way on the routing page. The comment is beginning with "RAW filter: " followed by the found text that the user has entered or not in the RAW section. It would also be preferable that the letters in that line is not black but gray to indicate a deferred rule.
You could simplify this by setting up a box running exabgp or quagga and have a BGP connection to the mikrotik(s).
setup a BGP community of say 666:666 and set the type to blackhole.
Then you can push these blackhole routes or retract them from all your border/edge routers from a central point.
Hi,Hello,
can you help me?
Fastnetmon identifies the attacked IP, but I can not get exabgp to advertise to mikrotik.
/ip firewall filter
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=ddosed new-routing-mark=ddoser-route-mark passthrough=no src-address-list=ddoser
/ip route
add distance=1 routing-mark=ddoser-route-mark type=blackhole
These rules yield the same result as a normal firewall DROP rule. Every packet still needs to be inspected by the firewall before marking them to be blackholed, even after the address exists on the ddoser and ddosed list.Can someone post the complete rules for fighting DDoS using "blackhole" ?
The rules below are ok ? Smb was saying there should be any mangle rule so it work better.
Code: Select all/ip firewall filter add action=jump chain=forward connection-state=new jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=ddosed new-routing-mark=ddoser-route-mark passthrough=no src-address-list=ddoser /ip route add distance=1 routing-mark=ddoser-route-mark type=blackhole
Hi mrz,I would suggest to use raw firewall rules to drop DDOS packets.
I'm not sure how you are getting the 30% faster...It was meant for an example few posts above, drop in RAW will be significantly faster than routing marks and connection marks.
Even in your test compared 18% to 14% it is roughly 30% faster, which is exactly how RAW was advertised and it does not overload connection tracking.
Of course blackhole is fastest one and more preferred, there is no argue about that.
Could you please share the rules without using the firewall? Thank youThese rules yield the same result as a normal firewall DROP rule. Every packet still needs to be inspected by the firewall before marking them to be blackholed, even after the address exists on the ddoser and ddosed list.
Blackhole should be quicker, I don't think you taking reverse path filtering ( RP Filter ) set to loose into account. When a route is blackholed and RPF is set to loose, RP Filter checks the packet,if the route entry points to blackhole, the Reverse Path Forwarding (RPF) check fails, and the packet is dropped. It's my understanding that this happens before any route decissions are made (be it blackhole or forward). This should drop far more than 4.1mpps.@Murmaider there seems to be some flaw in your tests.
Lets make a real load on the router
CCR1072 with 10G link DDOS attack from x.0.0.0/8 different addresses 64byte packet size
Attack to routers address (connected route no firewall) = 1.01Mil pps with 100% CPU load
Blackhole route = 1.6Milion pps with 100% CPU load
RAW rule with action no-track = 1Mil pps with 100% CPU load (this just indicates how fast RAW actually is when packet is not sent to connection tracking)
RAW rule action drop = 4.1mil pps with 100% CPU load
1 mangle rule to accept all traffic in prerouting = 94000 pps with 100% CPU load
So according to test it turns out that RAW drop is actually more than twice faster than blackhole.
RP filter in this case doesn't make any difference. But route cache does.
With disabled route cache:
blackhole = 4.45Mil pps
raw drop = 4.2Mil pps
Interesting, any idea why in my test and video the CPU usage drops to 0% with the blackhole + RP Filter, but with raw the CPU stays at 14% ?100% CPU in all tests.
Route cache is just an additional load on CPU. Whenever new packet arrives, it goes through route cache table to find matching hash, if there is no match new src/dst hash entry is generated.
I am not sure if your test is correct. If you are getting DDoSed you cannot stop the incoming packets from reaching the router regardless of how you drop them (firewall, blackhole, whatever) on the router itself. The only real way of blocking the attack is before it reaches you. ie: you should block the attack upstream (usually using BGP community blackholing) or employ an anti DDoS technology which can identify the attack flows and blackhole them (again in upstream) leaving the legit flows pass through.Interesting, any idea why in my test and video the CPU usage drops to 0% with the blackhole + RP Filter, but with raw the CPU stays at 14% ?
I agree that in a massive DDoS, your uplink is still going to get saturated and blackholing upstream or external mitigation is the winner for this, the topic at hand is more about firewall drop vs RP Filter blackhole and whether or not sourc-based blackholing is more efficient than firewall drop.I am not sure if your test is correct. If you are getting DDoSed you cannot stop the incoming packets from reaching the router regardless of how you drop them (firewall, blackhole, whatever) on the router itself. The only real way of blocking the attack is before it reaches you. ie: you should block the attack upstream (usually using BGP community blackholing) or employ an anti DDoS technology which can identify the attack flows and blackhole them (again in upstream) leaving the legit flows pass through.Interesting, any idea why in my test and video the CPU usage drops to 0% with the blackhole + RP Filter, but with raw the CPU stays at 14% ?
I know why it takes a while before the "mitigation" kicks in and this is mostly likely because of the route cache, the blackhole route does not become active immediately.What you are showing in your video is the attack stopping altogether a little after you enable the blackhole route. Which doesn't make sense.
The router should have still received the attack packets but simply not forward them anywhere as with firewall method.
Just to make sure I tried to recreate your test on my lab and I couldn't repeat the behavior shown in your video.
When I enable the blackhole route the attack stops being forwarded but the packets still reach the router before being dropped.
What I suspect (and I may be wrong!) is happening in your video is once you enable the blackhole route, when the ARP entry on your attack machine expires, it tries to send a new arp broadcast to find out which mac address has the IP you are sending packets to and since the router cannot send packets to the source IP, your attack box never receives the arp reply and effectively cannot send the traffic anywhere thus your router stops receiving any attack packets. But this is not a real world scenario of course.
Blocking the source-ip's isn't difficult, software like wanguard and many others do this out the box and pushes the ip's to exabgp which you just feed into mikrotik.Regardless, I don't think it's a viable option for a true DDoS attack. On the one hand it's more likely your uplink will get congested even before the packets reach the router (ie: you have 10gbit uplink but the attack is 15gbit, so even if you drop them one way or another, nothing changes really since it's your physical medium that's congested not only the router).
On the other hand how will you automatically block thousands of IPs (which is usually the case in a true DDoS attack)? How will you classify which source IP is bad and which is good?
Personally I've settled on Fastnetmon and BGP community blackholing on my upstreams.
Sure, it will block the IP being attacked but at least the rest of my network will not be affected. Most datacenters nowadays use this method to automatically block incoming attacks. And some datacenters are beginning to deploy more complete solutions like Arbor to scrub the attack traffic and only let the legit traffic pass through. But Arbor is extremely expensive...
Attacker VM <--> CHR <--> Victim VM
hping3 -d 64 -2 -p 53 --flood 192.168.2.2
/ip settings set rp-filter=loose
add bgp-communities=666:666 distance=1 dst-address=192.168.1.0/24 type=blackhole
Then why are you here?I think what this post really says is DON'T USE A MIKROTIK FOR FIREWALLING.
Do you have any solution ?Then why are you here?I think what this post really says is DON'T USE A MIKROTIK FOR FIREWALLING.
Honestly, we migrating all our hardware to supermicro Embedded superservers running 6wind turbo gate. Their dpdk implementation is just on a whole other level and stands up in a ddos like a beast, their bgp flowspec paired with wanguard bats ddos like a champ.Then why are you here?I think what this post really says is DON'T USE A MIKROTIK FOR FIREWALLING.
Do you have any solution ?