Types
TCP SYN flood
More info: SYN flood [1]. Diagnose Are there too much connections with syn-sent state present? /ip firewall connection print Is too much packets per second going through interface? /interface monitor-traffic ether3 Is CPU usage 100%? /system resource monitor Are there too much suspicious connections? /tool torch Protection Limit incoming connections Address with too much connections can be added to address list for futher blocking.
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 action=add-src-to-address-list \
address-list=blocked-addr address-list-timeout=1d
where LIMIT is max. number of connection per IP. LIMIT should be 100 or higher as many services use multiple connection (HTTP, Torrent, other P2P programs). Action tarpit Instead of simply droping attackers packets(action=drop) router can capture and hold connections and with enough powerfull router is can kill the attacker.
DoS attack protection /ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \ connection-limit=3,32 action=tarpit SYN filtering Some advanced filtering can by applied to tcp packet state.
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \ action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes /ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \ action=accept comment="" disabled=no /ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \ action=drop comment="" disabled=no
"syn limit=400" is a threshold, just enable rule in forward for syn packets to get dropped (for excessive amount of new connection) SYN cookies More info: SYN cookies [2] /ip firewall connection tracking set tcp-syncookie=yes
External links
Denial-of-service attack [3]
References
[1] http:/ / en. wikipedia. org/ wiki/ SYN_flood [2] http:/ / en. wikipedia. org/ wiki/ SYN_cookies [3] http:/ / en. wikipedia. org/ wiki/ DoS