Generally there is no perfect solution to protect against DoS
attacks. Every service could be overloaded by too much requests. So
there are only some methods for minimization impact of attack.
- Get more powerfull router or server
- Get more faster uplink
- Reduce number of firewall rules, queues and other packet handling actions
- Track attack path and block it closer to source (by upstream provider)
TCP SYN flood
More info: SYN flood.
Diagnose
- Are there too much connections with syn-sent state present?
/ip firewall connection print
- Is too much packets per second going through interface?
- Is CPU usage 100%?
- Are there too much suspicious connections?
Protection
- Limit incoming connections
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \ action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1dwhere LIMIT is max. number of connection per IP. LIMIT should be 100 or higher as many services use multiple connection (HTTP, Torrent, other P2P programs).
- Action tarpit
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \ connection-limit=3,32 action=tarpit
- SYN filtering
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \ action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes /ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \ action=accept comment="" disabled=no /ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \ action=drop comment="" disabled=no"syn limit=400" is a threshold, just enable rule in forward for syn packets to get dropped (for excessive amount of new connection)
- SYN cookies
/ip firewall connection tracking set tcp-syncookie=yes
No comments:
Post a Comment