Community discussions

MikroTik App
 
LiquidDave
just joined
Topic Author
Posts: 8
Joined: Thu Aug 14, 2014 7:02 am

Dealing with 3 different DDOS attacks. Need suggestions

Tue Sep 16, 2014 5:47 am

I have a problem on one of my Mikrotiks and I am having some issues figuring out a set of rules that will allow incoming OpenVPN connections get to a server behind the router and accept PPTP/L2TP connections on the router itself while still dropping DDoS traffic.

There are three things I am seeing ICMP, DNS Amplification, non proper DNS Amplification. Non proper meaning wrong ports instead of coming from source port 53 its coming from any port from about 10k to 60k. 2/3rds of it is a dns attack 1/3rd of it is ICMP and the stragglers are non standard port dns attacks. Here is a glimpse of the traffic from my packet sniffer. This is from just 2 seconds of captures.

I have tried the rules on the wiki but it blocks PPTP/L2TP and OpenVPN traffic as well. Hope someone cal help.
protocols.jpg
You do not have the required permissions to view the files attached to this post.
 
hedele
Member
Member
Posts: 338
Joined: Tue Feb 24, 2009 11:23 pm

Re: Dealing with 3 different DDOS attacks. Need suggestions

Tue Sep 16, 2014 8:53 am

How about accepting connections to the udp ports you know are being used for openvpn, accepting "established" packets, accepting connections to udp/1701 (l2tp) and dropping the rest of udp? there's not much you can do with icmp, except drop it or use a limiter in firewall so only a certain amount of icmp gets past. According to the traffic signature, you won't have to police gre and/or tcp, so pptp should be fine. Note that both limiting and using "established" connection state will need conntrack to be on.
 
LiquidDave
just joined
Topic Author
Posts: 8
Joined: Thu Aug 14, 2014 7:02 am

Re: Dealing with 3 different DDOS attacks. Need suggestions

Tue Sep 16, 2014 9:00 am

Yea that is basically what I am doing now. My problem is users that are assigned public IP addresses can have incoming traffic to their IP. Now anything above UDP 1024 is going to be dropped due to the firewall rule.
 
hedele
Member
Member
Posts: 338
Joined: Tue Feb 24, 2009 11:23 pm

Re: Dealing with 3 different DDOS attacks. Need suggestions

Tue Sep 16, 2014 9:14 am

That shouldn't be a big problem, not a lot of services use these ports server-side anyway, most of them multimedia- or gaming-related. If customers are complaining, you can justify this measure with an incoming ddos, they should understand that issue.
 
LiquidDave
just joined
Topic Author
Posts: 8
Joined: Thu Aug 14, 2014 7:02 am

Re: Dealing with 3 different DDOS attacks. Need suggestions

Tue Sep 16, 2014 9:23 am

Very true. I had hoped to find something I could add to the other routers but maybe I wont be able to be proactive about it. This ddos has been going on for a week now. Hopefully it will let up soon.
 
delsio
just joined
Posts: 8
Joined: Tue Oct 07, 2014 6:40 pm

Re: Dealing with 3 different DDOS attacks. Need suggestions

Wed Oct 15, 2014 9:20 pm

hi guys,

I experienced also a ddos for my dns server, basically a ping of death attack
I tried to block icmp completely but the firewall simply stays 0 on packets and bytes.

I am using v6.20

Any clues why?
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 667
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Re: Dealing with 3 different DDOS attacks. Need suggestions

Fri Oct 17, 2014 8:12 pm

Not sure about icmp but amplified attacks use UDP and are delivered regardless of you dropping them.
This continues to flood the upstream bandwidth.
I have had attacks of over 1Gps take me down, and upstream speeds unknown but took out 10Gbps upstream.
The only defense is DDOS mitigation software which detects the attack and advertises the affected /32s to a black-hole community for a duration of time. this ensures data delivery to all unaffected ips. and nat the affected ones temporarily behind an unaffected address, until the attack subsides.

Who is online

Users browsing this forum: smirgo and 30 guests