{"id":463,"date":"2015-12-23T15:42:00","date_gmt":"2015-12-23T15:42:00","guid":{"rendered":"http:\/\/www.mtin.net\/blog\/?p=463"},"modified":"2015-12-23T18:52:22","modified_gmt":"2015-12-23T18:52:22","slug":"quick-and-dirty-dddos-protection-for-mikrotik","status":"publish","type":"post","link":"http:\/\/www.mtin.net\/blog\/quick-and-dirty-dddos-protection-for-mikrotik\/","title":{"rendered":"Quick and dirty DDoS mitigation for Mikrotik"},"content":{"rendered":"

Update: This article is not meant \u00a0to be a permanent solution. \u00a0It’s a way to stop the tidal wave of traffic you could be getting. \u00a0Many times it’s important to just get the customers up to some degree while you figure out the best course of action. \u00a0<\/span><\/p>\n

Many of the Denial of Service (DDoS) attacks many folks see these days involve attacks coming from APNIC (Asia Pacific) IP addresses. \u00a0A trend is to open as many connections as possible and overwhelm the number of entries in the connection table. You are limited\u00a0to 65,535 ports to be open. \u00a0Ports below 10000 are reserved ports, but anything above that can be used for client type connections.<\/p>\n

\u00a0Now, Imagine you have a botnet with 10,000 computers all bearing their weight on your network. \u00a0Say you have a web-site someone doesn’t like. \u00a0If these 10,000 machines all send just 7 legitimate GET requests to your web-server you can bring, even a big router to a grinding halt. \u00a0 Firewalls, due to the extra CPU they are exerting, are even more prone to these types of attacks.<\/p>\n

So, how do you begin to\u00a0mitigate this attack? By the time you are under attack you are in defensive mode. \u00a0Someone, or alot of someone’s, are at your door trying to huff and puff and blow your house down. You need to slow the tide. \u00a0One of the first things you can do is start refusing the traffic. A simple torch normally shows many of the attacking IPs, are from APNIC. \u00a0If this is the case, we enable a firewall rule that says if the IP is not sourced from the below “ARIN” address list go ahead and drop it.<\/p>\n

add chain=forward comment=\"WebServer ACL\" dst-address=1.2.3.4 src-address-list=!ARIN action=drop\r\n\r\n<\/pre>\n
The above rule says if our attacked host is being contacted by anything not on the “ARIN” list go ahead and drop it.<\/p>\n
Make sure to paste this into \/ip firewall address-list . These were copied off the ARIN web-site as of this writing. APNIC and other registries all have similar lists. Keep in mind, this won’t stop the traffic from coming to you, but will shield you some in order to have a somewhat functional network while you track down the issues.<\/p>\n
Some people will say to blackhole the IP via a BGP blackhole server, but if you have production machines on the attacked host taking them offline for the entire world could be a problem. \u00a0This way, you are at least limiting who can talk to them.<\/p>\n
add address=23.0.0.0\/8 list=ARIN\r\nadd address=24.0.0.0\/8 list=ARIN\r\nadd address=45.16.0.0\/12 list=ARIN\r\nadd address=45.32.0.0\/11 list=ARIN\r\nadd address=45.72.0.0\/13 list=ARIN\r\nadd address=50.0.0.0\/8 list=ARIN\r\nadd address=63.0.0.0\/8 list=ARIN\r\nadd address=64.0.0.0\/8 list=ARIN\r\nadd address=65.0.0.0\/8 list=ARIN\r\nadd address=66.0.0.0\/8 list=ARIN\r\nadd address=67.0.0.0\/8 list=ARIN\r\nadd address=68.0.0.0\/8 list=ARIN\r\nadd address=69.0.0.0\/8 list=ARIN\r\nadd address=70.0.0.0\/8 list=ARIN\r\nadd address=71.0.0.0\/8 list=ARIN\r\nadd address=72.0.0.0\/8 list=ARIN\r\nadd address=73.0.0.0\/8 list=ARIN\r\nadd address=74.0.0.0\/8 list=ARIN\r\nadd address=75.0.0.0\/8 list=ARIN\r\nadd address=76.0.0.0\/8 list=ARIN\r\nadd address=96.0.0.0\/8 list=ARIN\r\nadd address=97.0.0.0\/8 list=ARIN\r\nadd address=98.0.0.0\/8 list=ARIN\r\nadd address=99.0.0.0\/8 list=ARIN\r\nadd address=100.0.0.0\/8 list=ARIN\r\nadd address=104.0.0.0\/8 list=ARIN\r\nadd address=107.0.0.0\/8 list=ARIN\r\nadd address=108.0.0.0\/8 list=ARIN\r\nadd address=135.0.0.0\/8 list=ARIN\r\nadd address=136.0.0.0\/8 list=ARIN\r\nadd address=142.0.0.0\/8 list=ARIN\r\nadd address=147.0.0.0\/8 list=ARIN\r\nadd address=162.0.0.0\/8 list=ARIN\r\nadd address=166.0.0.0\/8 list=ARIN\r\nadd address=172.0.0.0\/8 list=ARIN\r\nadd address=173.0.0.0\/8 list=ARIN\r\nadd address=174.0.0.0\/8 list=ARIN\r\nadd address=184.0.0.0\/8 list=ARIN\r\nadd address=192.0.0.0\/8 list=ARIN\r\nadd address=198.0.0.0\/8 list=ARIN\r\nadd address=199.0.0.0\/8 list=ARIN\r\nadd address=204.0.0.0\/8 list=ARIN\r\nadd address=205.0.0.0\/8 list=ARIN\r\nadd address=206.0.0.0\/8 list=ARIN\r\nadd address=207.0.0.0\/8 list=ARIN\r\nadd address=208.0.0.0\/8 list=ARIN\r\nadd address=209.0.0.0\/8 list=ARIN\r\nadd address=216.0.0.0\/8 list=ARIN<\/pre>\n","protected":false},"excerpt":{"rendered":"
Update: This article is not meant \u00a0to be a permanent solution. \u00a0It’s a way to stop the tidal wave of traffic you could be getting. \u00a0Many times it’s important to just get the customers up to some degree while you figure out the best course of action. \u00a0 Many of the Denial of Service (DDoS) […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[212,24,17],"tags":[273,147,13,271,272,25],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VLMf-7t","jetpack-related-posts":[{"id":284,"url":"http:\/\/www.mtin.net\/blog\/helpful-mikrotik-bgp-route-print\/","url_meta":{"origin":463,"position":0},"title":"Helpful Mikrotik BGP route print","author":"j2sw","date":"May 2, 2015","format":false,"excerpt":"\/ip route print where received-from= Replace  with the name of one of your peers to show the routes received from that particular BGP peer.","rel":"","context":"In \"advertisments\"","block_context":{"text":"advertisments","link":"http:\/\/www.mtin.net\/blog\/tag\/advertisments\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1951,"url":"http:\/\/www.mtin.net\/blog\/interesting-mikrotik-gui-behavior\/","url_meta":{"origin":463,"position":1},"title":"Interesting Mikrotik GUI behavior","author":"j2sw","date":"December 28, 2017","format":false,"excerpt":"While bringing up a BGP session for a client I kept trying to add our side of a \/126.\u00a0 It kept reverting to the network address.\u00a0 The video shows what happens when I tried to add ::12\/126 to the IPV6 addresses. After some second-guessing and then some Facebook chatting I\u2026","rel":"","context":"In \"bug\"","block_context":{"text":"bug","link":"http:\/\/www.mtin.net\/blog\/tag\/bug\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2017\/12\/Screen-Shot-2017-12-27-at-11.09.42-PM-3.png?fit=550%2C388&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":1696,"url":"http:\/\/www.mtin.net\/blog\/use-tarpit-vs-drop-for-scripts-blocking-attackers\/","url_meta":{"origin":463,"position":2},"title":"Use tarpit vs drop for scripts blocking attackers","author":"j2sw","date":"July 26, 2017","format":false,"excerpt":"There are many scripts out there, especially on Mikrotik, which list drop as the action for denying bad guy traffic. \u00a0While this isn't wrong, you could put the tarpit action to better use for actions which are dropping attacking type of traffic. So what is Tarpit? Tarpit is fairly simple.\u2026","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2017\/01\/ethernet.jpeg?fit=1200%2C775&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2017\/01\/ethernet.jpeg?fit=1200%2C775&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2017\/01\/ethernet.jpeg?fit=1200%2C775&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2017\/01\/ethernet.jpeg?fit=1200%2C775&resize=1050%2C600 3x"},"classes":[]},{"id":365,"url":"http:\/\/www.mtin.net\/blog\/basic-mikrotik-bgp-filter-rules\/","url_meta":{"origin":463,"position":3},"title":"Basic Mikrotik BGP filter rules","author":"j2sw","date":"October 29, 2015","format":false,"excerpt":"Below are some basic Filter Rules for Mikrotik BGP filtering. \u00a0These are not complex and can be very easily implemented on your BGP peers. Before we get to the code there are a few assumptions 1.Your own IP space in this example is 1.1.1.0\/22 2.These filters are not fancy and\u2026","rel":"","context":"In "Mikrotik"","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1178,"url":"http:\/\/www.mtin.net\/blog\/mikortik-user-meet-2016-presentation\/","url_meta":{"origin":463,"position":4},"title":"Mikortik User Meet 2016 Presentation","author":"j2sw","date":"May 8, 2016","format":false,"excerpt":"My powerpoint converted to PDF. Topics Include: Carrier Grade NAT Xbox & Nat BGP Tips mum-2016","rel":"","context":"In "BGP"","block_context":{"text":"BGP","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/bgp\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2864,"url":"http:\/\/www.mtin.net\/blog\/mikrotik-mum-presentation-on-the-schedule\/","url_meta":{"origin":463,"position":5},"title":"Mikrotik MUM presentation on the schedule","author":"j2sw","date":"February 19, 2019","format":false,"excerpt":"It's official.\u00a0 Day 1, last presentation of the day.\u00a0https:\/\/mum.mikrotik.com\/2019\/US\/info\/EN","rel":"","context":"In "Mikrotik"","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-19-at-3.38.53-PM-3.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-19-at-3.38.53-PM-3.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-19-at-3.38.53-PM-3.png?resize=700%2C400 2x"},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/463"}],"collection":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/comments?post=463"}],"version-history":[{"count":9,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/463\/revisions"}],"predecessor-version":[{"id":472,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/463\/revisions\/472"}],"wp:attachment":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media?parent=463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/categories?post=463"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/tags?post=463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}