DDoS

From MikroTik Wiki
Jump to: navigation, search

"Protecting against a DDoS"

DDoS Overview

Well a DDoS attack is an acronym for a Distributed Denial of Service attack. This can be caused by different type of protocol flooding that is directed to your network.

There are different type of attacks using UDP, TCP, and ICMP protocol attacks (I will not get into them because this is a lot to cover for another topic for discussion.)

Ouch I am flooded with a DDoS attack!

So one of my IPs got punked by a DDoS attack that was targeting a general web server. What I did with my Mikrotik was fast and effective; so pay attention to reduce or protect against a web server DDoS attack that I had experienced.

What I had to do in the heat of the moment to stop a DDoS attack was that of the following:

1.) First calm down

2.) Tick tock time is speeding by and bandwidth is being consumed; but stay calm!

3.) Assess what kind of attack is occurring: UDP, TCP or ICMP

4.) Assess the targeted IP address

5.) Do NOT reject the packets or else you are just amplifying the bandwidth slam. You must DROP the packets

6.) Implemented the following code from the CLI:

This code is modified from the spam prevention script that is found in the wiki.

/ip firewall filter
add action=drop chain=virus comment="Drop Spammer" disabled=no dst-port=25 \
   protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
   1d chain=virus comment="add to spammer list" connection-limit=30,32 \
   disabled=no dst-port=25 limit=10,5 protocol=tcp src-address-list=!smtpOK
add action=drop chain=virus comment="SMTP SPAM stopper!" disabled=no \
   dst-port=25 protocol=tcp src-address-list=!smtpOK


This also works in the same manner for DNS attacks that can be hitting your server relentlessly

/ip firewall filter
add action=drop chain=virus comment="Drop 53 DoS attack" disabled=no \
   dst-port=53 protocol=tcp src-address-list=spammer
add action=drop chain=virus comment="Drop 53 DoS attack" disabled=no \
   dst-port=53 protocol=udp src-address-list=spammer


And finally this is what I used with some tweaking.. So watch this and make sure that outside normal users can still pull up your webpage you may need to modify the amount on the limit of connections. I started with 40 but you may need to adjust it greater for normal use or you may reduce the connections to build your spammer list and block the DDoS bots.

/ip firewall filter
add action=drop chain=virus comment="Drop 80 DoS attack" disabled=no \
   dst-port=80 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
   2d chain=virus comment="Drop 80 DoS attack" connection-limit=40,32 \
   disabled=no dst-port=80 limit=20,5 protocol=tcp src-address-list=!smtpOK

Yes I know that I am using the spammer address list but if the culprit bots are doing a depth in full attack and are using multiple attack vectors then this is how you protect your self in a moment of crisis against some script kiddie. Now if your DDoS attack has subsided you may want to disable the last set of code for the port 80 attack so that your websites will work with out a problem. This is only used for temporary protection and not to be ran at all times unless you fully understand you websites connection averages from one page pull.

This is just provided to show you how to give your Mikrotik the ability to protect against bot attacks.

DDoS's can cost an ill willed user so these type of attacks are rare in this form. But if you made enemies on the Internet and some one wanted to rent a bot herd for an attack this is what you do to protect your self.

NOTE: Always add your internal network onto your smtpOK address list this is your whitelist. You can make your lists under the following by going to:

->IP->Firewall->Address list

Click on the Plus sign and give the name of smtpOK and then add in you internal address range.

-Sincerely, DesertAdmin