[Mikrotik] DOS attack question

Butch Evans butche at butchevans.com
Tue Dec 4 12:58:27 CST 2012


On Tue, 2012-12-04 at 11:35 -0500, David Hulsebus wrote:
> We've had someone sending network attacks on us over the last few days. 
> We are blocking 15K + IP addresses each 24 hours and and have an address 
> list that has grown to more than 45K since Sunday morning. I do see my 
> CPU usage hasn't really grown beyond 10% - it usually runs 6-8%. Which 
> brings me to the question. At that scale are address list look-ups more 
> efficient than multiple rules? Or is there a difference ? I am looking 
> at increasing the blocked time from 3 days to 14.

Address lists are much more efficient than multiple rules.  For example:
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=nossh
action=drop

The above is MUCH more efficient with an address list of 100 IPs than it
would be to have 100 rules of dropping dst-port tcp/22.   I am assuming
this is the question you are asking.  NOTE that this is just an example
and NOT the best way to handle input rules to manage traffic on port 22
or any other management port.

-- 
********************************************************************
* Butch Evans                * Professional Network Consultation   *
* http://www.butchevans.com/ * Network Engineering                 *
* http://store.wispgear.net/ * Wired or Wireless Networks          *
* http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE!    *
*          NOTE THE NEW PHONE NUMBER: 702-537-0979                 *
********************************************************************





More information about the Mikrotik mailing list