...
Code Block | ||
---|---|---|
| ||
/ip firewall address-list add list=ddos-attackers add list=ddos-targettargets /ip firewall filter add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=add-dst-to-address-list address-list=ddos-targettargets address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos /ip firewall raw add action=drop chain=prerouting dst-address-list=ddos-targettargets src-address-list=ddos-attackers |
...
Code Block | ||
---|---|---|
| ||
ip/firewall/address-list/add list=ddos-attackers ip/firewall/address-list/add list=ddos-targets ip/firewall/raw/add chain=prerouting action=drop src-address-list=ddos-attackers dst-address-list=dddosddos-targets |
With the firewall filter section, we will add attackers in the "ddosDDoS-attackers" and victims in list "ddos-targets" list:
Code Block | ||
---|---|---|
| ||
/ip/firewall/filter/ add action=add-dst-to-address-list address-list=ddos-targettargets address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos |
...
An SYN-ACK flood is an attack method that involves sending a target server spoofed SYN-ACK packet at a high rate. The server requires significant resources to process such packets out-of-order (not in accordance with the normal SYN, SYN-ACK, ACK TCP three-way handshake mechanism), it can become so busy handling the attack traffic, that it cannot handle legitimate traffic and hence the attackers achieve a DoS/DDoS condition. In RouterOS, we can configure similar rules from the previously mentioned example, but more specifically for SYN-ACK flood:
...