Artyom
Votes: 6Posted On: Sep 05, 2018 05:05:33
MikroTik RouterOS is an easy to use yet highly powerful interface that gives the power to Network Admins to deploy network capabilities and functions at ease. With the help of MikroTik RouterOS, you can turn a normal standard personal computer into a powerful network router.
MikroTik RouterOS is a Linux based operating system that are specially designed for thin routers. The terms refer to the amount of software and the size of the operating system that is running on our desktop computers.
Yes, with a Mikrotik router you can fight a DDoS attack quite effectively. With a Mikrotik router you can limit the number of connection using a firewall feature. When there is a DDoS attack, the system detects intrusion as the number of connection request exceeds the defined limit.
Let us study how to catch all new connections and redirecte them to the firewall
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=detect-ddos
In RouterOS, any single UDP packet is considered to be a new connection by Connection Tracking in any Firewall section (except NAT) until the packet in opposite direction is sent.
We then allow each "SrcIP:DstIP" pair some number of new connections. Make sure to also add exceptions like DNS servers. There is no good reason to block them.
/ip firewall filter
add chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s action=return
add chain=detect-ddos src-address=192.168.0.1 action=return
Now we have only packets which exceed our limits - and we add their source to 'ddoser' and the target to 'ddosed' address lists:
/ip firewall filter
add chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
Then packet processing returns to 'forward' chain, where we block any packets from ddosers(Culprit) to ddosed(Victim) resources:
/ip firewall filter
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop