DoS attack protection

From MikroTik Wiki
Revision as of 17:14, 28 February 2010 by Chronos (talk | contribs) (SYN filtering)
Jump to: navigation, search

DoS (Denial of Service) attack can cause overloading of router. Which means what CPU usage goes to 100% and router could be unreachable with timeouts. Every operations on packets which can take significant CPU power like firewalling(filter, nat, mangle), logging can cause overloading iftoo much packets per second arrives to router.

Types

TCP SYN flood

More info: SYN flood.

Diagnose

Huge amount of received syn-sent tcp packets can be observed in firewall connection list.

/ip firewall connection print
/tool torch

Protection

  • Limit incoming connections

Address with too much connections can be added to address list for futher blocking.

/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32  \
action=add-src-to-address-list  address-list=blocked-addr address-list-timeout=1d 
 where LIMIT is max. number of connection per IP.
  • Action tarpid

Instead of simply droping attackers packets(action=drop) router can capture and hold connections and with enough powerfull router is can kill the attacker.

/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit 
  • SYN filtering

Some advanced filtering can by applied to tcp packet state.

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment="" disabled=no

"syn limit=400" is a threshold, just enable rule in forward for syn packets to get dropped (for excessive amount of new connection)

  • SYN cookies

More info: SYN cookies

/ip firewall connection tracking set tcp-syncookie=yes

External links