Mikrotik DDoS and SYN Flood rules
I will present you some rules which you can apply to protect yourself from some of the DDoS or SYN Flood attacks or at least to mitigate as much as you can.I say some because it depends how much traffic Your ISP->Your Connection(s)->Your Devices can handle.I consider this attack very dangerous as you can do very little or nothing in some cases if you experience traffic of lets say around 100Gbit/s.Very little organizations can handle this kind of traffic.It depends how much enemies you have made and how much botnet zombies they hired from the attracker/s for the attack.
Some considerations you need to make:
Those applies to many situations!
- Have as much as possible more bandwidth and backup connections to your network from different ISPs.
- Try to use high end devices, like RB1000 or higher that can handle “some” traffic.
- Do not use reject action in your rules, it puts a lot of overhead on you CPU, use drop instead or create a Blackhole route for the attackers.
- If you can, use lists of IP ranges to block APNIC region from ОКЕАН(OCEAN) web site.You could use script on the Mikrotik to automate the process of downloading,formating and setting the rules on your Mikrotik.
- I would strongly suggest that you also use SPAMHOUSE DROP list of stolen ‘hijacked’ netblocks and netblocks controlled entirely by criminals and professional spammers.
- Try to lightweight the router CPU usage when you disable logging,disable unused resources and packages.
- If you get caught in the fire, you have two options:
- The most effective is mitigating the attack, with cloud services like CloudFlare or other good CDN network.
- Pray you will hold the line (I hope you have the guts and resources).
Here are some defensive mechanisms for DDoS protection:
Follow this very basic logic:Deny some,Allow some,Deny all
Lets block some bad networks reported by SPAMHOUSE DROP list.
Add the SPAMHOUSE DROP list:
add action=drop chain=forward comment="SPAMHOUSE DROP SCUM" \ disabled=no in-interface="YOUR EXT INT" src-address-list=DROP
Another good source to add are OKEAН IP ranges to block China and North Korea.
Add the ОКЕАН CNKR IP blocks:
add action=drop chain=forward comment="DROP CNKR SCUM" \ disabled=no in-interface="YOUR EXT INT" src-address-list=CNKR
Add a SYN flood protection:
;;; SYN Flood protect chain=input action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp src-address-list=!WhiteList in-interface=<EXT INT>
chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp src-address-list=!WhiteList in-interface=<EXT INT>
chain=SYN-Protect action=return tcp-flags=syn connection-state=new protocol=tcp src-address-list=!WhiteList dst-limit=100,100,dst-address-and-port/10s
chain=SYN-Protect action=log tcp-flags=syn connection-state= log-prefix=""
chain=SYN-Protect action=drop tcp-flags=syn connection-state protocol=tcp disabled=yes
You would probably need to adjust the limits to match your peak traffic time.And you could also create an address list to whitelist IP addresses such as your internal NETs.Keep in mind that if you want to keep the limits from blocking your real traffic,a constant monitoring of the traffic is necessary to adjust the limits.This goes to SYN and Connection Limits.
Set the connection limits:
;;; RATE LIMIT chain=input action=jump jump-target=RateLimit connection-sta src-address-list=!WhiteList in-interface=<EXT INT>
chain=forward action=jump jump-target=RateLimit connection-s src-address-list=!WhiteList in-interface=<EXT INT>
chain=RateLimit action=return connection-state=new dst-limit=100,100,src-and-dst-addresses/10s
chain=RateLimit action=add-src-to-address-list connection-state=new address-list=RateLimitAbuse address-list-timeout=0s
chain=RateLimit action=drop connection-state=new src-address-list=RateLimitAbuse disabled=yes
Here it’s necessary to have a whitelist for your internal NETs,at least to ensure they don’t get caught in the limits.Also adjust your limits according to your traffic.The drop rule is disabled so you can first see what you catch in.After you are sure about the limits enable the rule if you are not catching any real traffic.