MikroTik

Hi,
today I found out that one of our access points is running at 6Mbit. This is not usual so I investigated and I found out that one user is downloading 6Mbit by ICMP. On main router there is queue for him. It is set up as any other and is functional. It goes red (full use of link, he has a max of 512kbits) but he is still downloading/uploading 6Mbit (mangle is counting packets well, it shows 6Mbit in graph in mangle rule). I am able to stop it only by firewall (drop all from/to this ip) but not if I kill only ICMP traffic (torch is telling me that it is ICMP traffic). Help please.

downloading via ICMP?
please explain it.

There are 3 connections to internet from the ip of the customer each with 2Mbit traffic and torch tells me that these connections are ICMP.

Using any network monitoring software like Intermapper etc?... sounds almost like LOOP

What loop? The connections lead to three different network addresses. The connections stop when I disconnect the client from AP. I am not using any monitoring sw except of snmp.

This is cool !!
I think your users using some kind of VPN over ICMP.

Just wonder where can i get ICMP VPN ..

For you to shape the ICMP, you can user Queue Tree and use mangling to push the ICMP packets to queue in the class you described.

Hope this will help.

But I am doing that, the point is that even if mangle rule works correctly (mangles the packet) the Queue doesn't shape it. It is comming thru just like without any shaper.

Is it a ddos attack participant ? what type of ICMP ?

You can use firewall filter to drop / limit the number of ICMP that they are using. If you drop 1 out of 5 packets or so it will probably be less useful and they will stop. If its straight abusive icmp i would just drop it completely. use a good icmp firewall chain to stop stuff like that.

jump to the icmp chain from your input and forward chains:

add chain=ICMP action=accept protocol=icmp icmp-options=8:0-255 limit=20,20 \
comment="8:0 and limit for 5pac/s \(Echo - No Code\)" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:3 limit=30,5 \
comment="3:3 and limit for 5pac/s \(Port Unreachable\)" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=11:0 limit=50,20 \
comment="11:0 and limit for 5pac/s \(TTL Exceeded\)" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=20,20 \
comment="0:0 and limit for 5pac/s \(Echo Reply\)" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:0 limit=5,5 \
comment="3:0 and limit for 5pac/s \(Net Unreachable\)" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:1 limit=5,5 \
comment="3:1 and limit for 5pac/s \(Host Unreachable\)" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:4 limit=5,5 \
comment="3:4 and limit for 5pac/s \(Frag Not Needed\)" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:13 limit=5,5 \
comment="3:13 and limit for 5pac/s" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:10 limit=5,5 \
comment="3:10 and limit for 5pac/s" disabled=no
add chain=ICMP action=log protocol=icmp limit=1,2 log-prefix="" comment="log \
it" disabled=no
add chain=ICMP action=drop protocol=icmp comment="Drop everything else" \
disabled=no

you may have to adjust your limits depending on the size of your network and the type of traffic you expect. this is from a cable modem network so the limits might be a little low.

Sam

you can also limit the size of the icmp packets in firewall filter, if they are same size or higher than average.

I have such rules but only in input chain, I don't care what are people sending to internet. I just want to limit their speed. The queue is set up right (i think) but it is not catching this type of traffic. Maybe it is bug in Mikrotik.