Skip to content Skip to sidebar Skip to footer

Securing servers from DDOS attacks using Mikrotik Routers

Article

Securing servers from DDOS attacks using Mikrotik Routers


Providing security to the Router is one of the obligations that network admins must do. As a network Admin, in addition to being able to configure, troubleshooting, etc. then a network Admin is also required to provide security to network devices such as Routers, Servers, etc.

Before providing router configuration to the Internet, we should be able to provide security first to the Router. Can start from the simplest thing is to change the router username and password, then close the unused service, and disable Neighboor discovery. Details on how to secure a Mikrotik Router can be found in our Article entitled First Steps to Maintaining Router Security.

In this article, we will give you a little trick to prevent server devices from DDOS attacks using Mikrotik Router. DDOS is short for Distributed Denial of Service where DDOS is a type of attack that is carried out by flooding traffic on the network. With this DDOS, the traffic on the network will be full and cause the resources of the device to increase. 


For example we will provide protection against server devices from DDOS attacks.


Securing servers from DDOS attacks using Mikrotik Routers Securing server From Hacking hacking hacking server securing server with mikrotik




Configuration

You can follow these steps:


First step, we can create a filter firewall rule with a drop action against the original ip address "ddoser" with the destination ip address "ddosed".

/ip firewall filter
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
Next step, then we will capture all connections "new" and create a new chain that is "detect-ddos".


/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=detect-ddos

 

Then we'll create a firewall rule as follows:


/ip firewall filter
add chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/1s action=return
add chain=detect-ddos src-address=192.168.0.1 action=return


With the above firewall rules, then when there is an unnatural new package, for example above 32 packets for one second, then the firewall will tagging the original address and destination address using the address list. For example, for an attacker's IP address it will be grouped with the name "ddoser", then for the target IP address it will be grouping with the name "ddosed".


/ip firewall filter
add chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m

 

Conclusion

With the above rules, when there is an unnatural new package will be grouping using the address list with the names "ddosed" and "ddoser", after the attacker's IP address and destination IP address have been successfully captured using the address-list then the IP address will be dropped by the firewall filter we created at the beginning. That way client devices like Server can be spared DDOS attacks by unknown people.

Dani31
Dani31 2012 pertamakali Melakukan Blongging dani31 great web for support dani31 About Me About Me dani31