DoS attack protection

From MikroTik Wiki
Revision as of 17:08, 28 February 2010 by Chronos (talk | contribs) (SYN cookies and tarpid action)
Jump to: navigation, search

DoS (Denial of Service) attack can cause overloading of router. Which means what CPU usage goes to 100% and router could be unreachable with timeouts.

Types

TCP SYN flood

More info: SYN flood.

Diagnose

Huge amount of received syn-sent tcp packets can be observed in firewall connection list. 

/ip firewall connection print
/tool torch

Protection

  • Limit incoming connections

Address with too much connections can be added to address list for futher blocking. 

/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32  \
action=add-src-to-address-list  address-list=blocked-addr address-list-timeout=1d 
 where LIMIT is max. number of connection per IP.
  • Action tarpid

Instead of simply droping attackers packets(action=drop) router can capture and hold connections and with enough powerfull router is can kill the attacker. 

/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit
  • SYN filtering
  • SYN cookies

More info: SYN cookies 

/ip firewall connection tracking set tcp-syncookie=yes

External links

Retrieved from "https://wiki.mikrotik.com/index.php?title=DoS_attack_protection&oldid=15685"