{"id":1402,"date":"2019-05-03T05:09:13","date_gmt":"2019-05-03T03:09:13","guid":{"rendered":"http:\/\/www.shukko.com\/x3\/?p=1402"},"modified":"2019-05-03T05:09:53","modified_gmt":"2019-05-03T03:09:53","slug":"mt-under-syn","status":"publish","type":"post","link":"https:\/\/www.shukko.com\/x3\/2019\/05\/03\/mt-under-syn\/","title":{"rendered":"mt under syn"},"content":{"rendered":"\n

If you want help your router to support 2x DDoS you’re receiving now, disable route cache. You will see your cpu usage immediately goes down.<\/p>\n\n\n\n

Put rp_filter in loose mode and enable tcp syncookie.<\/p>\n\n\n\n

Set (only if you use router as border one and you not do nat or similar services)
\/ip firewall connection tracking set enabled=no<\/p>\n\n\n\n

Use only raw rules and setup something like this:<\/p>\n\n\n\n

\/ip firewall raw\nadd    chain=prerouting action=jump jump-target=udp-filters in-interface=NETIX log=no log-prefix=\"\" protocol=udp\n\nadd    chain=prerouting action=jump jump-target=tcp-filters in-interface=NETIX log=no log-prefix=\"\" protocol=tcp\n\nadd   chain=udp-filters action=accept in-interface=NETIX src-port=53 limit=2500,100:packet log=no log-prefix=\"\" protocol=udp\n\nadd    chain=udp-filters action=drop in-interface=NETIX src-port=53 log=no log-prefix=\"\" protocol=udp\n\nadd  chain=udp-filters action=drop in-interface=NETIX src-port=389 log=no log-prefix=\"\" protocol=udp comment=LDAP\n\nadd  chain=udp-filters action=drop in-interface=NETIX src-port=80 log=no log-prefix=\"\" protocol=udp comment=\"UDP SRC 80\"\n\nadd  chain=udp-filters action=drop in-interface=NETIX src-port=443 log=no log-prefix=\"\" protocol=udp comment=\"UDP SRC 443\"\n\nadd  chain=udp-filters action=drop in-interface=NETIX dst-port=80 log=no log-prefix=\"\" protocol=udp comment=\"UDP DST 80\"\n\nadd  chain=udp-filters action=drop in-interface=NETIX dst-port=443 log=no log-prefix=\"\" protocol=udp comment=\"UDP DST 443\"\n\nadd    chain=udp-filters action=notrack log=no log-prefix=\"\"\n\nadd    chain=tcp-filters action=notrack log=no log-prefix=\"\"\n\nadd    chain=prerouting action=notrack log=no log-prefix=\"\"\n\n\/ip firewall filter\n\nadd chain=forward protocol=tcp tcp-flags=syn,rst action=drop<\/code><\/pre>\n\n\n\n
You will block most know UDP Amplification script.<\/p>\n\n\n\n
this is the best configuration we found to allow MT absorb attacks, you can’t get better performance.<\/p>\n\n\n\n
Now to do real tcp mitigation you should apply an external device (in line or out of line is your choice) to filter some more specific packets (strings, ttl, flags…). If you not feel safe to use in line, consider to use fastnemon that detect a ddos and inject a route to forward \/32 to that device.<\/p>\n\n\n\n
Or if you have a budget, choose a company that does ddos mitigation and you will sleep better<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
If you want help your router to support 2x DDoS you’re receiving now, disable route cache. You will see your cpu usage immediately goes down. Put rp_filter in loose mode and enable tcp syncookie. Set (only if you use router as border one and you not do nat or similar services)\/ip firewall connection tracking set […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1402","post","type-post","status-publish","format-standard","hentry","category-kategerisiz"],"_links":{"self":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/1402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/comments?post=1402"}],"version-history":[{"count":2,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/1402\/revisions"}],"predecessor-version":[{"id":1404,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/1402\/revisions\/1404"}],"wp:attachment":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/media?parent=1402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/categories?post=1402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/tags?post=1402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}