[feature request] Blocking a special kind of DDoS

msatter · Mon Oct 14, 2019 5:01 am

I have since a few months a problem start address ranges are DDOS at a rate between 10K and 15K a hour. The current version Destination Limiting does not work because ranges of source addresses are use. Luckily the are all in the same 24 range or blocks of 24 ranges.

It would be great if Dst. Limit if it also could not look at one source address and remember that, but also at set range of 24 if chosen in that rule. When adding, if triggered,to a addresslist then add a /24 range like 1.2.3.0/24 and I think it would the best if only /24 ranges could be used or smaller.

This is how that address distribution looks for real and here I have xx.xx.116.0/24 xx.xx.117.0/24 xx.xx.118.0/24

ddosspread.JPG

msatter · Mon Oct 14, 2019 11:01 am

The attack is still going and it I am now at 62K requests in several hours.

Now I can sit and checking the log several times a day to enter a few /24 ranges to block also the next one.

Does anyone knows how I can block this kind of attacks by means given in RouterOS?

dmitris · Mon Oct 14, 2019 1:15 pm

Try this one..

viewtopic.php?f=2&t=54607&p=571073#p571073

R1CH · Mon Oct 14, 2019 1:33 pm

Is this targeting the router or a service behind the router? If the router, such requests should just be DROP with basic firewall, nothing special needed. If its a service behind the router, then that service should enable syncookies as syn flood is easily countered these days.

msatter · Mon Oct 14, 2019 1:43 pm

Thank dmitris and I had in the past read this thread and the conclusion several time.

I looked at the log and noticed that the packet have a small size of 40 and I just filter now on that size of between zero and 40, directed at port 80 and being a sync packet. This is a workaround and rather have the opportunity to recognize and block this kind of 'grouped-hydra' attack.

This workaround works better than the now available dst-limit because normal traffic does not suffer because of dropping those packet and the connection still works for that traffic.

KISTech · Mon Oct 14, 2019 7:52 pm

I just recently noticed I'm getting the same attacks from the same IP ranges, though not at the same volume you are.

What I did was just add the /24 to an address list (currently named "DDoS Attackers")
with no timeout and then drop any packets coming from anything in that list.

If the packets are TCP instead of drop you can tarpit them to slow them down.

msatter · Tue Oct 15, 2019 1:14 am

I have the impression that only sync packets are send and any packets sent back are ignored. Tarpit is not working then.

I drop in RAW so nothing enters the connection table.

Being able to add also in /24 ranges would really modernize dst-limit and when given a range any /32 are ignored so that 'normal' traffic is allowed trough. That can be examed in a other dst-limit line.

This way I don't have to manually create a address-list and the 40 bytes packet I now use have disavantages.

Update:I have made a line to generate a /24 address and with two lists I could make the final list.

local address1 1.2.3.4;local address2 ($address&255.255.255.0); :put ("$address2"."/24");

List one collects DDoS IP, list two contains the converted /24 addresses and list three contains the active DDoS. List two is most difficult and how to recognize /32 only.

Update:

if start-address <> address+i then if ($address+i in (($start-address&255.255.255.0)."/24") then add to list two
when added to list two then clear all addresses in list one matching (($start-address&255.255.255.0)."/24")

Now I have make a script to read the the address list, top-down, and clear list one when ready. And repeat that lets say every 60 seconds.

Any help is welcome.

Update: removing from list-1

/ip firewall address-list remove [find where list=list-1 && address in 1.2.3.0/24];

Counting the occurences of /24 in addresslist:

:local count 0; :foreach i in=[/ip firewall address-list find where list=list-1 address in 1.2.3.0/24] do={ :set count ($count + 1)}; :put $count;

msatter · Tue Oct 15, 2019 9:40 pm

And the complete script:

# Version 1.01-20191015
# Move ip-ranges  to address-lists and delete obsolete IP addresses
# Warning: only collect external addresses coming in on the WAN

/ip firewall address-list
:foreach b in=[find where list="list-1"] do={:set $lastAddress [get value-name=address number=$b] };

# convert last added address in list-1 to ip range
:local ipRange (($lastAddress&255.255.255.0)."/24")
:local countRange 0;

:foreach c in=[/ip firewall address-list find where list=list-1 address in $ipRange] do={ :set countRange ($countRange + 1)};

:if ($countRange > 5) do={/ip firewall address-list add address=$ipRange list=list-2; :log warning "$ipRange range added to list-2" } else={ /ip firewall address-list remove [find address=$lastAddress]};

:if ($countRange = 1) do={:log warning "$lastAddress IP removed from list-1"};

:if ($countRange > 5) do={/ip firewall address-list remove [find where list=list-1 && address in $ipRange] };

Still to do some cleanup and optimizing......

msatter · Wed Oct 16, 2019 12:57 pm

This morning the reconnaissance scan came along to see if I was ready for more DDoS-ing.

RangeTest.JPG

This reconnaissance scan would not be caught by the script nor by the any other DDoS detector. A modern dst-limit would detect this and if I would put any address coming in on port 80 on list one. I have now set moving any addresses to list-1 as I get a burst of three (an attack).

I run the script every minute using scheduler.

Update: it seems that each reconnaissance is followed directly by a stream of tries to enter through a other IP address.

The reconnaissance is coming from IP range 185 84 16 0 22 and the following IP is 151 5 165 10 no dots and forward slash used here.

https://tinyurl.com/yy6slnrr

msatter · Thu Oct 17, 2019 6:23 pm

SUCCESS!!!

The script caught his first two address ranges trying to DDoS my router.

It is now fully automatic and I only have to check if was correct in doing so.

Tonight an other 17 ranges got caught.

eXS · Fri Oct 18, 2019 6:00 am

It would be handy if 'add src to address list' could optionally convert it to a /24 (or whatever), i have 15k+ address book at the moment.

msatter · Sat Oct 19, 2019 12:01 am

It would be handy if 'add src to address list' could optionally convert it to a /24 (or whatever), i have 15k+ address book at the moment.

I am now thinking more at a new Extra besides Limit and Dst-limit because that would be cleaner. Your list is huge and this script just takes the last added IP and this is scheduled every minute. This ideal for building.

When looking at the ranges caught tonight I could condense those from 17 ranges to 7 larger ranges.

msatter · Sat Oct 26, 2019 12:45 pm

I have updated the script so that is a bit more efficient.

This script can be running for a while and how do I avoid that is started a second time by the scheduler for the next run. Manual scripts I can see in /system script job but Schedulers does not have a Jobs part and when running it does not have a name under Script. An option is to make a special user and that I can see.

## change to address-lists
/ip firewall address-list

## Loops through the address-list till all entries are handled
:foreach b in=[find where list="list-1"] do={:set $firstAddress [get value-name=address number=$b] 

    ## convert address in list to ip range of /24
    :local ipRange (($firstAddress&255.255.255.0)."/24")

    ## resets the counter
    :local countRange 0;

    ## Counts how many addresses are in the range 
    :foreach c in=[find where list=list-1 address in $ipRange] do={ :set countRange ($countRange + 1)};

   ## If more than five times the same address range is in the list then add to blocklist else remove the used range from the list.
   :if ($countRange > 5) do={add address=$ipRange list=list-2; ; remove [find where list=list-1 && address in $ipRange] ; \
   :log warning "$ipRange range added to list-2" } else={remove [find where list=list-1 && address in $ipRange]};

};

msatter · Sun Oct 27, 2019 12:25 am

So using a other user to detect if the script was already running did not work. You have the chicken and egg problem.

Now I have the scheduler running the script and I can so detect if the script is already running started by the scheduler.

## Check if this this script is already running
/system script job
:foreach b in=[find where script="checkRange"] do={:log warning "script already running";  error Script is already running; };

/system script run checkRange

There must be a cleaner way then using

:error

here.

msatter · Fri Nov 01, 2019 12:52 pm

I have refined the script again. Now you can block certain ip-ranges from ever making it to list-2 (blocklist).

You can do this by creating a static /24 IP-range in list-1 then any IP address in that range will not be moved to list-2 despite it may have reach the threshold to be moved. So when you make an error in the rule and are adding IP addresses that are local or remote that should not be blocked you have now a extra security to avoid unwanted blocks.

## change to address-lists
/ip firewall address-list

## Loops through the address-list till all entries are handled
:foreach b in=[find where list="list-1" dynamic] do={:set $firstAddress [get value-name=address number=$b] 

    ## convert address in list to ip range of /24
    :local ipRange (($firstAddress&255.255.255.0)."/24")

    ## Check if that address range is blocked by a static enty
    :if ([find where list="list-1" address=$ipRange !dynamic]) do={remove [find where list=list-1 address=$firstAddress] ; \
    :log warning "$firstAddress was blocked by Static entry on list-1" } else {

      ## resets the counter
      :local countRange 0;

      ## Counts how many addresses are in the range 
      :foreach c in=[find where list=list-1 address in $ipRange] do={ :set countRange ($countRange + 1)};

     ## If more than five times the same IP address range is matched then it is added added to list-2 
     ## else remove the used range from the list-1 because any other hits are with too less.
     :if ($countRange > 4) do={add address=$ipRange list=list-2; ; remove [find where list=list-1 && address in $ipRange] ; \
     :log warning "$ipRange range added to list-2" } else={remove [find where list=list-1 && address in $ipRange]};

 }; # foreach b
}; # if else

Maggiore81 · Sat Apr 04, 2020 10:03 pm

sorry to resurrect this thread.

@msatter how can I contact you?

ashwinvpatil · Mon Oct 19, 2020 8:59 pm

Hello
Could you please share the updated script for ddos and TCP syn flood protection for mikrotik

msatter · Tue Oct 20, 2020 12:18 am

Hello
Could you please share the updated script for ddos and TCP syn flood protection for mikrotik

This script is made for a special kind of DDOS and is optimized as much as I am possible to do.

In many cases psd is your friend when TCP is used to avoid loading connection up. UDP or other protocols need connection tracking to see if they are new connections.

[feature request] Blocking a special kind of DDoS [SOLVED]

[feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS [SOLVED]

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS

Re: [feature request] Blocking a special kind of DDoS