All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Show me how you do it!
lowprofile
Member
Hi guys,
I have to ask this. In a normal scenario where you have a bunch of metals in your rack, you will probably have a network, firewall etc.
Now I am curious of what kind of firewall or router you are using? I am mainly asking, because i feel i am missing a piece somewhere in the designing.
My issues in past:
I had a rack colocated in a DC. Had my own IP block /22 - Now my issue was when someone got DDoSsed (any VM or device behind FW/router) by a "simple" 2-20mbit SYN attack, everything went down, i was using Mikrotik CCR1036 and also tried a hardware appliance with PFsense. What i saw was typically the CPU was outrunned. I was hoping that the DDoS attack (less size than my pipe) was just routed to the single box/vm/metal and not the whole infrastructure itself (router/fw became the bottleneck)
I tried stateless mode and different setups - nothing could stop it efficiently when it came to SYN attacks which special flags.
Now, what do you use in your infrastructure to make sure that you can handle an attack or volume (less than your PIPE), without crashing the firewall/router which is devastating for all devices behind the FW.
Other thing i was also wondering, if my uplink provider can handle it by routing the attack to me, why can't i do the same? Just route the traffic to an end-server. I was hoping it was a misconfiguration from my side at that time, but i was sure i was using stateless mode and much other things to prevent any CPU crash. Maybe Mikrotik and PFsense is nothing to Cisco when it comes to routing? ASIC chips?
I will now make a new setup with Mikrotik since i have seen a RAW mode is now available. But let me hear from you. Would like to have input of your typical setup and experience.
I will also create a lab and simulate the SYN attacks - if someone is up to some testing, let me know. I can simulate an attack.
Comments
Your best bet is to use Fastnetmon, get data from your router and announce a blackhole/nullroute towards your transit provider, essentially taking that address of the internet. Would then only affect that single IP and not your entire infrastructure.
If you have beefier hardware routers (modern Juniper, Cisco etc), Fastnetmon also supports flowspec, which allows you to filter traffic at the edge without blocking all access to the address. If you have a router that can handle the traffic itself, and the attack i smaller than your pipe, flow spec is a pretty sweet thing
Thanks. But seriously do a BGP blackhole because of 5-10mbit SYN attack? Sounds way overkill.
I was hoping someone could say that Mikrotik CCR or PFsense is crap when it comes to real life routing. Or i can ask my provider which router they are using and get the same
Heard that ASIC based routers are the only "real" things. All others look nice on paper, but crap in practical.
I came to this thread expecting to learn cool new sex moves.
+1 with @terrahost for Fastnetmon
Have you enabled fastpath on your Mikrotik? And do you use firewall rules on it?
Mikrotik CCR1036 doesn't have 10G ports, so even if you manage to drop a 5-10Mbps of SYN, how will you survive to a 1G+ UDP flood for example?
Hardware routers are nice but expensive ^^
I cant remember fastpath, but pretty sure i tested all possible features.
UDP or any volume attack is not a problem for now. Will be using external DDoS service to clean the traffic - BGP level.
Pricing budget is $3000 - my pipe is 10G (CCR1036 was previously, will be replaced)
I remember i also had similar issues on my Fortigate 1000C