MikroTik

Posted: **Wed Jan 15, 2014 10:49 am**

Can someone tell what i have to do to prevent UDP flooding in my router.

I search the wiki and found these roules:

add action=drop chain=forward disabled=no dst-address-list=udp_flooded
add action=drop chain=forward disabled=no src-address-list=udp_flooder
add action=jump chain=forward comment="UDP Flood Protection" connection-state=new 
add action=return chain=udp_flood disabled=no dst-limit=50,50,src-and-dst-addresse
add action=add-src-to-address-list address-list=udp_flooder address-list-timeout=1
add action=add-dst-to-address-list address-list=udp_flooded address-list-timeout=1

but it didnt work, new UDP connections keep comming to my router and everytime i have to manualy drop these ips.

Thanks.

Posted: **Wed Jan 15, 2014 6:07 pm**

Posted: **Wed Jan 15, 2014 11:45 pm**

That does not mater if u drop them, traffic is still coming to ur router WAN port
best solution use Torch and see where the flood-traffic is directed "dst-address" and call your ISP

Posted: **Wed Jan 15, 2014 11:50 pm**

Thanks for your answer.
My ISP cant help me.

At least i want to stop flood connections of that ips.
If i manually drop in firewall the ips that make the connections, in some point it is all ok.

But how can these ips be dynamic added to these firewall rules, without every time to do it manually?

Posted: **Thu Jan 16, 2014 12:09 am**

First if flood is from many addresses one port drop that port
Is this ur everyday problem?
UDP flood form many addresses and many ports that sucks
if u are ISP and u have many real IPs find where flood-traffic is directed "dst-address" - (I edited this on my first post)

Posted: **Thu Jan 16, 2014 12:27 am**

I have 40 static ips in my metwork from my ISP.
In two of them i discovered this problem, two days now.
UDP flood are from different addresses and different ports.

Posted: **Wed Jan 22, 2014 7:07 pm**

I have 40 static ips in my metwork from my ISP.
In two of them i discovered this problem, two days now.
UDP flood are from different addresses and different ports.

Why is this ruleset not working? What is running behind your router... Webserver?
In case of any Webservers, i would recommend you to simply touch the A-Record of your Domain and redirect to any DDos-Cloud-Service. This Service filters the bad traffic and only let the cleaned stuff pass to your real IP. Can recommend you Depulsio (www.depulsio.de), met this guys last year on ISD in Cologne.

But what i didn't unterstand: is the problem that the ports is fully loaded (by this attack) or is the problem the target, that is being attacked?
If the target is your problem: What ports are being Attacked and wherefore they got opened. Maybe Reverse-Proxy them?

If your ISP Uplink is strong enough and doesn't get fully loaded and even your Router is powerful enough... let the Traffic flow and just drop it by time. Maybe try other rate limits. What Piece of Hardware we're talking about and which datarate on your WAN we're talking about?

MikroTik

HELP with UDP flooding

HELP with UDP flooding

Re: HELP with UDP flooding

Re: HELP with UDP flooding

Re: HELP with UDP flooding

Re: HELP with UDP flooding

Re: HELP with UDP flooding

Re: HELP with UDP flooding