Mikrotik DDoS and SYN Flood

Mikrotik DDoS and SYN Flood rules

I will present you some rules which you can apply to protect yourself from some of the DDoS or SYN Flood attacks or at least to mitigate as much as you can.I say some because it depends how much traffic Your ISP->Your Connection(s)->Your Devices can handle.I consider this attack very dangerous as you can do very little or nothing in some cases if you experience traffic of lets say around 100Gbit/s.Very little organizations can handle this kind of traffic.It depends how much enemies you have made and how much botnet zombies they hired from the attracker/s for the attack.

Some considerations you need to make:

Those applies to many situations!

  1. Have as much as possible more bandwidth and backup connections to your network from different ISPs.
  2. Try to use high end devices, like RB1000 or higher that can handle “some” traffic.
  3. Do not use reject action in your rules, it puts a lot of overhead on you CPU, use drop instead or create a Blackhole route for the attackers.
  4. If you can, use lists of IP ranges to block APNIC region from ОКЕАН(OCEAN) web site.You could use script on the Mikrotik to automate the process of downloading,formating and setting the rules on your Mikrotik.
  5. I would strongly suggest that you also use SPAMHOUSE DROP list of stolen ‘hijacked’ netblocks and netblocks controlled entirely by criminals and professional spammers.
  6. Try to lightweight the router CPU usage when you disable logging,disable unused resources and packages.
  7. If you get caught in the fire, you have two options:
    1. The most effective is mitigating the attack, with cloud services like CloudFlare or other good CDN network.
    2. Pray you will hold the line (I hope you have the guts and resources).

Here are some defensive mechanisms for DDoS protection:

Follow this very basic logic:Deny some,Allow some,Deny all

FIRST

Lets block some bad networks reported by SPAMHOUSE DROP list.

Add the SPAMHOUSE DROP list:

add action=drop chain=forward comment="SPAMHOUSE DROP SCUM" \
disabled=no in-interface="YOUR EXT INT" src-address-list=DROP

SECOND

Another good source to add are OKEAН IP ranges to block China and North Korea.

Add the ОКЕАН CNKR IP blocks:

add action=drop chain=forward comment="DROP CNKR SCUM" \ 
disabled=no in-interface="YOUR EXT INT" src-address-list=CNKR

THIRD

Add a SYN flood protection:

;;; SYN Flood protect
 chain=input action=jump jump-target=SYN-Protect tcp-flags=syn 
 connection-state=new protocol=tcp src-address-list=!WhiteList 
 in-interface=<EXT INT>
chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn 
 connection-state=new protocol=tcp src-address-list=!WhiteList 
 in-interface=<EXT INT>
chain=SYN-Protect action=return tcp-flags=syn connection-state=new 
 protocol=tcp src-address-list=!WhiteList 
 dst-limit=100,100,dst-address-and-port/10s
chain=SYN-Protect action=log tcp-flags=syn connection-state=
 log-prefix=""
chain=SYN-Protect action=drop tcp-flags=syn connection-state
 protocol=tcp disabled=yes

You would probably need to adjust the limits to match your peak traffic time.And you could also create an address list to whitelist IP addresses such as your internal NETs.Keep in mind that if you want to keep the limits from blocking your real traffic,a constant monitoring of the traffic is necessary to adjust the limits.This goes to SYN and Connection Limits.

 FOURTH

Set the connection limits:

;;; RATE LIMIT
 chain=input action=jump jump-target=RateLimit connection-sta
 src-address-list=!WhiteList in-interface=<EXT INT>
chain=forward action=jump jump-target=RateLimit connection-s
 src-address-list=!WhiteList in-interface=<EXT INT>
chain=RateLimit action=return connection-state=new 
 dst-limit=100,100,src-and-dst-addresses/10s
chain=RateLimit action=add-src-to-address-list connection-state=new 
 address-list=RateLimitAbuse address-list-timeout=0s
chain=RateLimit action=drop connection-state=new 
 src-address-list=RateLimitAbuse disabled=yes

 Here it’s necessary to have a whitelist for your internal NETs,at least to ensure they don’t get caught in the limits.Also adjust your limits according to your traffic.The drop rule is disabled so you can first see what you catch in.After you are sure about the limits enable the rule if you are not catching any real traffic.

 

 After all of this you can add your ALLOW rules which should be followed by the DENY ALL rules.

One thought on “Mikrotik DDoS and SYN Flood

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>