Page 1 of 1
Block DDos Attack and be able to access internet
Posted: Wed Sep 13, 2017 11:07 pm
by rodrigobenta
Hello friends. Im here because i'm having a problem that is driving me crazy.
Im new on Mikrotik, I have a model RB2011-uIaS.
The problem is that i have a network, controlled by a Windows Server 2012 R2, with DHCP.
I've been having attacks of ddos i think, cause when i activate "ALLOW REMOTE REQUESTS" option on DNS, my Tx on that interface ("ether1") go so high.
I disabled that option, looking at this forum, but now i can't use internet in my WINDOWS SERVER, and can not access via log me in to it.
Can you give me some advice to activate remote requests, and stop getting this attack, that i don't know where they come from..
thank you very much.
Re: Block DDos Attack and be able to access internet [SOLVED]
Posted: Thu Sep 14, 2017 12:09 am
by BartoszP
So many times on forum:
Enable DNS server and add these lines to filters ... assuming ether1 is the name of WAN interface ... if not substitute it with proper one:
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
or
/ip firewall filter
add action=reject reject-with=icmp-host-unreachable chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=reject reject-with=icmp-host-unreachable chain=input dst-port=53 in-interface=ether1 protocol=tcp
If you drop packets then offender could try to connect many times as there is no answer so offender does not know what happens to query packet. With "reject" you fool offender that your host is unreachable so you can assume that offender will stop in short time as there is no sense to query nonexisting server.
Re: Block DDos Attack and be able to access internet
Posted: Tue Sep 26, 2017 8:27 pm
by rodrigobenta
So many times on forum:
Enable DNS server and add these lines to filters ... assuming ether1 is the name of WAN interface ... if not substitute it with proper one:
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
or
/ip firewall filter
add action=reject reject-with=icmp-host-unreachable chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=reject reject-with=icmp-host-unreachable chain=input dst-port=53 in-interface=ether1 protocol=tcp
If you drop packets then offender could try to connect many times as there is no answer so offender does not know what happens to query packet. With "reject" you fool offender that your host is unreachable so you can assume that offender will stop in short time as there is no sense to query nonexisting server.
i entered the first lines of filter..
can i have problems if then i put those reject actions to fool the offender? or should i first remove those action "drop" and then enter the reject actions.? thank you so much for your answer
Re: Block DDos Attack and be able to access internet
Posted: Tue Sep 26, 2017 9:10 pm
by JohnTRIVOLTA
Not that the previous decisions are wrong, but I think this is the right one :
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface=WAN protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=WAN protocol=udp
Re: Block DDos Attack and be able to access internet
Posted: Tue Sep 26, 2017 10:09 pm
by BartoszP
A. Reject for me is better version as drop does not fools offender and it tries many times to attack our DNS. With reject it should stop earlier ... SHOULD stop earlier.
B. Action in prerouting stops processing earlier so it is better version.