Use tarpit vs drop for scripts blocking attackers

There are many scripts out there, especially on Mikrotik, which list drop as the action for denying bad guy traffic.  While this isn’t wrong, you could put the tarpit action to better use for actions which are dropping attacking type of traffic.

So what is Tarpit?
Tarpit is fairly simple. When connections come in and are “tarpitted” they don’t go back out. The connection is accepted, but when data transfer begins to happen, the TCP window size is set to zero.  This means no data can be transferred during the session.  The session is held open, and requests from the sender (aka attacker) to close the session are ignored. They must wait for the connection to timeout.

So what’s the downside?
TCP is not really designed to hold onto a connection.  It can be additional overhead on a taxed system.  Most modern firewalls can handle tarpitting without an issue. However, if you get thousands of connections it can overwhelm a system or a particular protocol.

How can I use it?
If you have scripts, such as the SSH drop off the Mikrotik wiki, simply change the action to “tarpit” instead of “drop”.

Quick and dirty DDoS mitigation for Mikrotik

Update: This article is not meant  to be a permanent solution.  It’s a way to stop the tidal wave of traffic you could be getting.  Many times it’s important to just get the customers up to some degree while you figure out the best course of action.  

Many of the Denial of Service (DDoS) attacks many folks see these days involve attacks coming from APNIC (Asia Pacific) IP addresses.  A trend is to open as many connections as possible and overwhelm the number of entries in the connection table. You are limited to 65,535 ports to be open.  Ports below 10000 are reserved ports, but anything above that can be used for client type connections.

 Now, Imagine you have a botnet with 10,000 computers all bearing their weight on your network.  Say you have a web-site someone doesn’t like.  If these 10,000 machines all send just 7 legitimate GET requests to your web-server you can bring, even a big router to a grinding halt.   Firewalls, due to the extra CPU they are exerting, are even more prone to these types of attacks.

So, how do you begin to mitigate this attack? By the time you are under attack you are in defensive mode.  Someone, or alot of someone’s, are at your door trying to huff and puff and blow your house down. You need to slow the tide.  One of the first things you can do is start refusing the traffic. A simple torch normally shows many of the attacking IPs, are from APNIC.  If this is the case, we enable a firewall rule that says if the IP is not sourced from the below “ARIN” address list go ahead and drop it.

add chain=forward comment="WebServer ACL" dst-address=1.2.3.4 src-address-list=!ARIN action=drop

The above rule says if our attacked host is being contacted by anything not on the “ARIN” list go ahead and drop it.

Make sure to paste this into /ip firewall address-list . These were copied off the ARIN web-site as of this writing. APNIC and other registries all have similar lists. Keep in mind, this won’t stop the traffic from coming to you, but will shield you some in order to have a somewhat functional network while you track down the issues.

Some people will say to blackhole the IP via a BGP blackhole server, but if you have production machines on the attacked host taking them offline for the entire world could be a problem.  This way, you are at least limiting who can talk to them.

add address=23.0.0.0/8 list=ARIN
add address=24.0.0.0/8 list=ARIN
add address=45.16.0.0/12 list=ARIN
add address=45.32.0.0/11 list=ARIN
add address=45.72.0.0/13 list=ARIN
add address=50.0.0.0/8 list=ARIN
add address=63.0.0.0/8 list=ARIN
add address=64.0.0.0/8 list=ARIN
add address=65.0.0.0/8 list=ARIN
add address=66.0.0.0/8 list=ARIN
add address=67.0.0.0/8 list=ARIN
add address=68.0.0.0/8 list=ARIN
add address=69.0.0.0/8 list=ARIN
add address=70.0.0.0/8 list=ARIN
add address=71.0.0.0/8 list=ARIN
add address=72.0.0.0/8 list=ARIN
add address=73.0.0.0/8 list=ARIN
add address=74.0.0.0/8 list=ARIN
add address=75.0.0.0/8 list=ARIN
add address=76.0.0.0/8 list=ARIN
add address=96.0.0.0/8 list=ARIN
add address=97.0.0.0/8 list=ARIN
add address=98.0.0.0/8 list=ARIN
add address=99.0.0.0/8 list=ARIN
add address=100.0.0.0/8 list=ARIN
add address=104.0.0.0/8 list=ARIN
add address=107.0.0.0/8 list=ARIN
add address=108.0.0.0/8 list=ARIN
add address=135.0.0.0/8 list=ARIN
add address=136.0.0.0/8 list=ARIN
add address=142.0.0.0/8 list=ARIN
add address=147.0.0.0/8 list=ARIN
add address=162.0.0.0/8 list=ARIN
add address=166.0.0.0/8 list=ARIN
add address=172.0.0.0/8 list=ARIN
add address=173.0.0.0/8 list=ARIN
add address=174.0.0.0/8 list=ARIN
add address=184.0.0.0/8 list=ARIN
add address=192.0.0.0/8 list=ARIN
add address=198.0.0.0/8 list=ARIN
add address=199.0.0.0/8 list=ARIN
add address=204.0.0.0/8 list=ARIN
add address=205.0.0.0/8 list=ARIN
add address=206.0.0.0/8 list=ARIN
add address=207.0.0.0/8 list=ARIN
add address=208.0.0.0/8 list=ARIN
add address=209.0.0.0/8 list=ARIN
add address=216.0.0.0/8 list=ARIN