8/23/2017 DoS attack protection - MikroTik Wiki

DoS attack protection

From MikroTik Wiki

Contents
1 In general
2 Types
2.1 TCP SYN flood
2.1.1 Diagnose
2.1.2 Protection
3 External links

In general
DoS (Denial of Service) attack can cause overloading of a router. Which means that the CPU usage goes to 100% and
router can become unreachable with timeouts. All operations on packets which can take significant CPU power like
firewalling (filter, NAT, mangle), logging, queues can cause overloading if too many packets per second arrives at the
router.

Generally there is no perfect solution to protect against DoS attacks. Every service can become overloaded by too many
requests. But there are some methods for minimising the impact of an attack.

Get a more powerful router or server

Get a more faster uplink
Reduce the number of firewall rules, queues and other packet handling actions
Track attack path and block it closer to source (by upstream provider)

Types
TCP SYN flood

More info: SYN flood (http://en.wikipedia.org/wiki/SYN_flood).

Diagnose

Are there too many connections with syn-sent state present?

/ip firewall connection print

Are there too many packets per second going through any interface?

/interface monitor-traffic ether3

https://wiki.mikrotik.com/wiki/DoS_attack_protection 1/3
8/23/2017 DoS attack protection - MikroTik Wiki

Is CPU usage 100%?

/system resource monitor

Are there too many suspicious connections?

/tool torch

Protection

Limit incoming connections

An IP address with too many connections can be added to a 'black-list' type address list for further blocking.

/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \

action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d

where LIMIT is the max. number of connection per IP. LIMIT should be a value of 100 or even higher as many services
use multiple connection (HTTP, Torrent, other P2P programs).

Action tarpit

Instead of simply dropping attacker's packets (with 'action=drop') router can capture and hold connections and with a
powerful enough router it can slow the attacker down.

/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \

connection-limit=3,32 action=tarpit

SYN filtering

Some advanced filtering can by applied to tcp packet state.

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \

action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
action=drop comment="" disabled=no

'syn limit=400' is a threshold, just enable rule in forward chain for syn packets to get dropped (for excessive amount of new
connections)

SYN cookies

More info: SYN cookies (http://en.wikipedia.org/wiki/SYN_cookies)

For v6.x:

/ip settings set tcp-syncookies=yes

https://wiki.mikrotik.com/wiki/DoS_attack_protection 2/3
8/23/2017 DoS attack protection - MikroTik Wiki

For older RouterOS versions:

/ip firewall connection tracking set tcp-syncookie=yes

External links
Denial-of-service attack (http://en.wikipedia.org/wiki/DoS)

Retrieved from "https://wiki.mikrotik.com/index.php?title=DoS_attack_protection&oldid=26217"

Category: Firewall

This page was last modified on 25 March 2014, at 16:44.

This page has been accessed 259,171 times.

https://wiki.mikrotik.com/wiki/DoS_attack_protection 3/3