Wednesday, November 2, 2016

Mikrotik DoS attack Protection


  • Limit incoming connections
Address with too much connections can be added to address list for blocking.
 
 
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 action=add-src-to-address-list  address-list=blocked-addr address-list-timeout=1d 
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit 
 
 

where LIMIT is max. number of connection per IP. LIMIT should be 100 or higher as many services use multiple connection (HTTP, Torrent, other P2P programs).
  • Action tarpit
Instead of simply droping attackers packets(action=drop) router can capture and hold connections and with enough powerfull router is can kill the attacker.

No comments: