DoS attack protection
DoS (Denial of Service) attack can cause overloading of router. Which means what CPU usage goes to 100% and router could be unreachable with timeouts. Every operations on packets which can take significant CPU power like firewalling(filter, nat, mangle), logging can cause overloading iftoo much packets per second arrives to router.
Types
TCP SYN flood
More info: SYN flood.
Diagnose
Huge amount of received syn-sent tcp packets can be observed in firewall connection list.
/ip firewall connection print
/tool torch
Protection
- Limit incoming connections
Address with too much connections can be added to address list for futher blocking.
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \ action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d
where LIMIT is max. number of connection per IP.
- Action tarpid
Instead of simply droping attackers packets(action=drop) router can capture and hold connections and with enough powerfull router is can kill the attacker.
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit
- SYN filtering
Some advanced filtering can by applied to tcp packet state.
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes /ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment="" disabled=no /ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment="" disabled=no
"syn limit=400" is a threshold, just enable rule in forward for syn packets to get dropped (for excessive amount of new connection)
- SYN cookies
More info: SYN cookies
/ip firewall connection tracking set tcp-syncookie=yes
