MikroTik

Hi,

Checking the wiki, I have some doubts:
https://wiki.mikrotik.com/wiki/DoS_attack_protection

First: In the SYN FIltering part, it says to have disabled the first rule. Is this necessary or it's a mistake?

Second: Is this the best approach in RouterOS to protect against DoS attacks?

The current RouterOS is based on an old kernel and deployed on routers that are fairly CPU limited. IMO it's best to let it pass through packets and the target device can be responsible for its own DoS protection. By trying to do DoS protection in RouterOS, the router itself becomes vulnerable to DoS since it spends so much time processing all your firewall rules.

The current RouterOS is based on an old kernel and deployed on routers that are fairly CPU limited. IMO it's best to let it pass through packets and the target device can be responsible for its own DoS protection. By trying to do DoS protection in RouterOS, the router itself becomes vulnerable to DoS since it spends so much time processing all your firewall rules.

I agree with the limitations of the hardware. But, what do we have to do when the same MT is being attacked? It happened to me once. CPU was very high and I had to implement one like the one from the wiki but that used to "drop" and that used to break some online games. I'm implementing this one from the wiki but there is a rule that is recommended to have it "disabled" and that's why I was wondering about it.

Hi,

Checking the wiki, I have some doubts:
https://wiki.mikrotik.com/wiki/DoS_attack_protection

First: In the SYN FIltering part, it says to have disabled the first rule. Is this necessary or it's a mistake?

Second: Is this the best approach in RouterOS to protect against DoS attacks?

It's a mistake.

Tik's are not supposed to be the DDoS shield, so you better to buy special equipment from DDoS protection ISP and be free from these fears.
Or just transfer your service to cloud ddos protected server.

The current RouterOS is based on an old kernel and deployed on routers that are fairly CPU limited. IMO it's best to let it pass through packets and the target device can be responsible for its own DoS protection. By trying to do DoS protection in RouterOS, the router itself becomes vulnerable to DoS since it spends so much time processing all your firewall rules.

I agree with the limitations of the hardware. But, what do we have to do when the same MT is being attacked? It happened to me once. CPU was very high and I had to implement one like the one from the wiki but that used to "drop" and that used to break some online games. I'm implementing this one from the wiki but there is a rule that is recommended to have it "disabled" and that's why I was wondering about it.

If your MT device is being attacked directly then all traffic should be dropped by your default input DROP rule. You're not exposing RouterOS services to the internet right? .

It's a mistake.

Tik's are not supposed to be the DDoS shield, so you better to buy special equipment from DDoS protection ISP and be free from these fears.
Or just transfer your service to cloud ddos protected server.

I see. I though it could have been. Nonetheless, that wiki was prepared long ago.

Why is not a good idea to have it as a shield?

If your MT device is being attacked directly then all traffic should be dropped by your default input DROP rule. You're not exposing RouterOS services to the internet right? .

I just have Winbox activated. But what I use is UPnP just for game consoles to have open ports.
I also have a WebProxy and DNS server in the same MT.

When you have DDoS traffic reach input of filter then you have use the most expenceive part of RouterOS namely Connection tracking.

If possible try to block in Raw or if that is not feasable mark it as no-track.

I just have Winbox activated.

Never never NEVER actviate Winbox on your internet-facing interface!

But what I use is UPnP just for game consoles to have open ports.

Ah game consoles... there probably lies the cause of your DDoS.
(or better: not in the game consoles, but in the kids that operate them)

Never never NEVER actviate Winbox on your internet-facing interface!

But it is the only thing activated in services. If I turn it off, will I be able to log in again?

Ah game consoles... there probably lies the cause of your DDoS.
(or better: not in the game consoles, but in the kids that operate them)

Do you know a better way to have multiple consoles with NATopen (All ports available)?

You should have Winbox active, but you should NOT allow incoming Winbox connections from internet in your firewall!
The default firewall blocks incoming connections to the router. Don't change that.

The issue with game consoles is not the technical configuration but the people that operate them!
When they take unfair advantage or otherwise cause hate amongst their fellow players, they will trigger DDoS attacks.
That is not about how you configure the network, it is about how the players behave. That is what you need to change.
(and when you can't, just do not allow the usage)

It's a mistake.

Tik's are not supposed to be the DDoS shield, so you better to buy special equipment from DDoS protection ISP and be free from these fears.
Or just transfer your service to cloud ddos protected server.

I see. I though it could have been. Nonetheless, that wiki was prepared long ago.

Why is not a good idea to have it as a shield?

Because it doesn't have enough resources to check all the passing traffic.