Hi there,

I faced a challenge to set up a working filter set (firewall) in a RouterOS device so to protect internal WebService infrastructure in a smart and intelligent fashion. The setup is as follows: We have an internal WebService behind RB1100AHx2 version 5.25, which provides sensitive information like prices and discounts of items and products to external requests. The problem is that such services are regularly exploited by sending a lot of requests and big batch queries which are capable of drawing valuable information from the internal database or cause complete failure of the serving system (DoS in our case the WebService). What is to my mind is first limiting the requests per second or minute to the WebService, second I need to limit the maximum amount of data drawn and requested per second/minute to avoid downloading more info than "normally" is necessary, also I need to limit the maximum connections from one IP to the WebService, and last but not the least I have to count up the bytes transferred (I/O) to requesting clients so to cool down a bit the "heavy" users. Any other best practices in this context are most welcome.

Any suggestions and guidance will be greatly appreciated!

I don't think mikrotik is the device for that.

Gesendet von meinem XT890 mit Tapatalk 2

I don't think mikrotik is the device for that.

Gesendet von meinem XT890 mit Tapatalk 2

You are right to big extent. However, I am not trying to replace some super-dooper expensive Web Application firewall with Mikrotik device which serves different purpose in a brilliant way, but only to take advantage of the advanced features in the filter settings which I believe could do quite a good job. Frankly, my problem is that not all options are pretty clear to me and want to know only those that would solve my case without going through all the "trial and error" process.

Thanks for the answer.

To limit the connections per IP, you could use the "Connection Limit" feature in the firewall.

You could play around with the connection values in the firewall filter. It would require experimentation to figure out what works best and will fit the needs.

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
connection-bytes (integer-integer; Default: ) Matches packets only if a given amount of bytes has been transfered through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection

connection-limit (integer,netmask; Default: ) Restrict connection limit per address or address block

connection-rate (Integer 0..4294967295; Default: ) Connection Rate is a firewall matcher that allow to capture traffic based on present speed of the connection.

dst-limit (integer,time,integer,dst-address | dst-port | src-address, time; Default: ) Matches packets within given pps limit. As opposed to the limit matcher, every destination IP address / destination port has it's own limit. Parameters are written in following format: count,time,burst,mode,expire.

count - maximum average packet rate measured in packets per time interval
time - specifies the time interval in which the packet rate is measured
burst - number of packets which are not counted by packet rate
mode - the classifier for packet rate limiting
expire - specifies interval after which recored ip address /port will be deleted

you can get alot of smarts in radius IE radiusmanager can control burst monthly usage logs the usage
go down that track

set the other fiddly bits on the ros probly gobally

Thank you very much, guys, for shedding some light on this complicated subject and for the priceless ideas. Really appreciate it !