You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Introduction

A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. There are several types of DDoS attacks, for example, HTTP flood, SYN flood, DNS amplification, etc.

Protection Employment

In RouterOS, we have to split DoS/DDoS protection into 2 parts: detection and processing.

DoS/DDoS Detection

First, we will send every new connection to the specific chain where we will detect DDoS:

/ip/firewall/filter
add chain=forward connection-state=new action=jump jump-target=detect-ddos

In the newly created chain we will add the following rule with the "dst-limit" parameter. This parameter is written in the following format: dst-limit=count[/time],burst,mode[/expire]. We will match 32 packets with 32 packet burst based on destination and source address flow which renews every 10 seconds. The rule will work until a given rate is exceeded.

/ip/firewall/filter
add chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s action=return





                
        
    
        


                        
    





    

	

		
    
    
            
  • 
            No labels
        
    •