torek, 22. december 2015

Mikrotik Basic DOS Attack prevention

Sometimes on the internet you piss people off. And in this day and age everybody can be a script kiddie and run some tools that spam your IP an overload your internet connection. If you have a shitty router you’re done. But luckily for you own a Mikrotik. So here we will make some rules to block someone who wants to DOS your WAN IP. You must know before you get to happy to have a router that can do DOS prevention, that that kind of prevention takes toll on routers CPU so if you have a really the cheapest hAP Lite for 20$, you will be easily overpowered. But if you own a better router let’s say RB2011, RB3011 or a bad boy like CCR, your good. But if you REALLY pissed  some wrong people off, and are a target of a DDOS attack, well in that case you are screwed no matter what you own. Your best bet is to change your IP :D

So what can you do with a Mikrotik?

In the input chain, you can make a firewall rule to track the number of TCP connections coming in to the router and set a threshold at which the IP gets listed on an address list. Then, that list is Tarpited.

First off all you need to know the basic behind the Mikrotik Tarpit functionality. 

The Tarpit functionality exploits the 3-way handshake, that is used to establish the TCP connection when your router receives the initial SYN packet of the DOS-er and sends a SYN/ACK in response. It does not open a socket or prepare a connection, in fact it can forget all about the connection after sending the SYN/ACK. However, the remote site sends its ACK (which gets ignored) and believes the 3-way-handshake to be complete. Then it starts to send data, which never reaches a destination. The connection will time out after a while, but since the system believes it is dealing with a live (established) connection, it is conservative in timing it out and will instead try to retransmit, back-off, retransmit, etc. for quite a while. That puts a lot of strain on attacker’s computer and can eventually crash or freeze his program. This Tarpit functionality is especially useful for mitigating brute force attacks against SSH and Telnet.

How do we implement this on the router?

Well I will make one example, but you need to customize it to your needs. 
 We will create these rules in the ip\firewall\filter in the terminal window.
1.      We make a rule, that checks the number of TCP connections coming in the router on the Input chain. And if a threshold we set is reached, the source address of the packet is put on an address list for 24 hrs. (that is also customizable) In our case that will be 50 connections (FYI – that is low)
2.      In the second step we will take that list and Tarpit the IP addresses that try to DOS us.

1.       chain=input action=add-src-to-address-list protocol=tcp src-address=! address-list=DOS address-list-timeout=1d connection-limit=50,32 log=no log-prefix=""

2.       chain=input action=tarpit protocol=tcp src-address-list=DOS log=no log-prefix=""

How the router would read such a rule?

The first rule: If a packet comes to the Router and is not sourced from and has more than 50 TCP connections to me, put that IP address on the DOS list for 24 hrs.
Router in this case has not done any action on the source IP other to create a list with this IP on it.
But you must customize those 50 connections to your needs.

The second rule: If there is and address list named DOS, Tarpit traffic coming from the IP on that list.

Just remember to put the tarpit rule above the first rule so the packets from DOS IP address are not reprocessed every time in both rules. It takes off load on the router.

I hope I made myself clear.

May the force be With you all :D

Ni komentarjev:

Objavite komentar