[Mikrotik] DOS attack question

Josh Luthman josh at imaginenetworksllc.com
Tue Dec 4 13:11:38 CST 2012


Network wise or just from management efficiency?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Tue, Dec 4, 2012 at 1:58 PM, Butch Evans <butche at butchevans.com> wrote:

> On Tue, 2012-12-04 at 11:35 -0500, David Hulsebus wrote:
> > We've had someone sending network attacks on us over the last few days.
> > We are blocking 15K + IP addresses each 24 hours and and have an address
> > list that has grown to more than 45K since Sunday morning. I do see my
> > CPU usage hasn't really grown beyond 10% - it usually runs 6-8%. Which
> > brings me to the question. At that scale are address list look-ups more
> > efficient than multiple rules? Or is there a difference ? I am looking
> > at increasing the blocked time from 3 days to 14.
>
> Address lists are much more efficient than multiple rules.  For example:
> /ip firewall filter
> add chain=input protocol=tcp dst-port=22 src-address-list=nossh
> action=drop
>
> The above is MUCH more efficient with an address list of 100 IPs than it
> would be to have 100 rules of dropping dst-port tcp/22.   I am assuming
> this is the question you are asking.  NOTE that this is just an example
> and NOT the best way to handle input rules to manage traffic on port 22
> or any other management port.
>
> --
> ********************************************************************
> * Butch Evans                * Professional Network Consultation   *
> * http://www.butchevans.com/ * Network Engineering                 *
> * http://store.wispgear.net/ * Wired or Wireless Networks          *
> * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE!    *
> *          NOTE THE NEW PHONE NUMBER: 702-537-0979                 *
> ********************************************************************
>
>
>
> _______________________________________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20121204/3488dcf6/attachment.html>


More information about the Mikrotik mailing list