Page 1 of 1
Outbound DDOS firewall rules
Posted: Thu Sep 23, 2021 9:05 am
by hughrobbie
Hi Guys,
I am getting lots of outbound Sightline reports of TCP and UDP attacks leaving our network, I would like to know if anyone has any firewall rules they can share that they have used to stop outward DDOS attacks, my plan is to put the firewall rules on each PPPOE concentration device, to prevent it even flowing through my internal network and reduce the damage to other ISPs.
Kind Regards
Hugh
Re: Outbound DDOS firewall rules
Posted: Thu Sep 23, 2021 9:37 am
by hughrobbie
I saw this on the mikrotik help:
/ip firewall address-list
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=ddos-attackers
will this help?
Re: Outbound DDOS firewall rules
Posted: Thu Sep 23, 2021 4:00 pm
by johnson73
Following the recommendations of the forum members, I use the following method. It works well
/ip firewall filter
add action=jump chain=forward comment="Ddos protect" connection-state=new \
jump-target=block-ddos
add action=return chain=block-ddos dst-limit=32,42,src-and-dst-addresses/10s
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m \
chain=block-ddos
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddoser
Re: Outbound DDOS firewall rules
Posted: Thu Sep 23, 2021 6:49 pm
by rextended
First of all place anti-spoofing rules: check if the firewall check that the source IP of incoming packet from your clients are your addresses and not spoofed.