Community discussions

MikroTik App
 
Theennd
newbie
Topic Author
Posts: 32
Joined: Mon Oct 03, 2016 8:24 am

Detect Attack

Wed Feb 15, 2017 9:42 pm

Hi i have CCR1036 and my router cant stay under attack and reboot when one of my ips recive about for example 10-50mbit bandwitdh Ddos mean on one ip connect to many connection and packet then my mikrotik reboot or full Cpu and cant access it i need a way to fix this i dont know why this hardware should down under 10-50mbit ddos.

And is any way to detect hping3 ddos?

Thanks
 
OnixJonix
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Thu Jun 22, 2006 11:35 am
Location: Latvia

Re: Detect Attack

Thu Feb 16, 2017 7:08 am

Look at Profile!! Which service is using resources! There is no way that your CCR struck on 10-15Mbps! Impossible! It can handle lot more!! Try newest version! Seems like a bug or hardware problem to me!
Make fillter in firewall - limit connections to one IP! Search for - prevent DDOS in this forum - plenty info for that!
 
amyacker
just joined
Posts: 11
Joined: Mon Nov 28, 2016 9:32 am

Re: Detect Attack

Thu Feb 16, 2017 11:38 am

Does your log show this command on profiles?
hping3 --flood <ip>
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: Detect Attack

Thu Feb 16, 2017 6:48 pm

If your router can't stand up to a simple packet flood then you probably have too many complex firewall rules.
 
Theennd
newbie
Topic Author
Posts: 32
Joined: Mon Oct 03, 2016 8:24 am

Re: Detect Attack

Fri Feb 17, 2017 5:26 pm

Look at Profile!! Which service is using resources! There is no way that your CCR struck on 10-15Mbps! Impossible! It can handle lot more!! Try newest version! Seems like a bug or hardware problem to me!
Make fillter in firewall - limit connections to one IP! Search for - prevent DDOS in this forum - plenty info for that!
profile show firewall use 100% cpu and restart my router
mikrotik.jpg
i have block my ip with recive ddos see packets
You do not have the required permissions to view the files attached to this post.
 
Theennd
newbie
Topic Author
Posts: 32
Joined: Mon Oct 03, 2016 8:24 am

Re: Detect Attack

Fri Feb 17, 2017 5:27 pm

Does your log show this command on profiles?
hping3 --flood <ip>
no i didnt see this on my logs
 
Theennd
newbie
Topic Author
Posts: 32
Joined: Mon Oct 03, 2016 8:24 am

Re: Detect Attack

Fri Feb 17, 2017 5:28 pm

If your router can't stand up to a simple packet flood then you probably have too many complex firewall rules.
I just have a two firewall rules, one block icmp and other block one ip on my network
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: Detect Attack

Fri Feb 17, 2017 5:37 pm

are you allowing remote dns requests
 
Theennd
newbie
Topic Author
Posts: 32
Joined: Mon Oct 03, 2016 8:24 am

Re: Detect Attack

Fri Feb 17, 2017 5:48 pm

are you allowing remote dns requests
no i didnt allow it
 
mpreissner
Member
Member
Posts: 357
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Detect Attack

Fri Feb 17, 2017 7:08 pm

You need to remember that the default action for MikroTik firewall is Accept. If you do not put a Drop All rule at the bottom of each firewall chain, your router will Accept all packets that hit that chain. This is a HUGE oversight from MikroTik in terms of security, but easily correctable. You need to explicitly allow traffic that you want and Drop everything else.
 
Theennd
newbie
Topic Author
Posts: 32
Joined: Mon Oct 03, 2016 8:24 am

Re: Detect Attack

Fri Feb 17, 2017 7:26 pm

You need to remember that the default action for MikroTik firewall is Accept. If you do not put a Drop All rule at the bottom of each firewall chain, your router will Accept all packets that hit that chain. This is a HUGE oversight from MikroTik in terms of security, but easily correctable. You need to explicitly allow traffic that you want and Drop everything else.
i cant do this i have many users on this network and i cant allow one of my trafik and drop others
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 632
Joined: Fri Apr 30, 2010 3:25 pm
Location: Prévost, QC, Canada
Contact:

Re: Detect Attack

Fri Feb 17, 2017 7:39 pm

Mpreissner isn't suggesting that, but by denying "new" connections on WAN's input chain, for example, will save you a world of pain. If you allow the WAN port to reply to dns requests, you're vulnerable.

Sent from my cell phone via Tapatalk. Sorry for the errors.
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: Detect Attack

Fri Feb 17, 2017 8:33 pm

I agree protecting your router from input attacks directly to the router is important.