Update: This article is not meant to be a permanent solution. It’s a way to stop the tidal wave of traffic you could be getting. Many times it’s important to just get the customers up to some degree while you figure out the best course of action.
Many of the Denial of Service (DDoS) attacks many folks see these days involve attacks coming from APNIC (Asia Pacific) IP addresses. A trend is to open as many connections as possible and overwhelm the number of entries in the connection table. You are limited to 65,535 ports to be open. Ports below 10000 are reserved ports, but anything above that can be used for client type connections.
Now, Imagine you have a botnet with 10,000 computers all bearing their weight on your network. Say you have a web-site someone doesn’t like. If these 10,000 machines all send just 7 legitimate GET requests to your web-server you can bring, even a big router to a grinding halt. Firewalls, due to the extra CPU they are exerting, are even more prone to these types of attacks.
So, how do you begin to mitigate this attack? By the time you are under attack you are in defensive mode. Someone, or alot of someone’s, are at your door trying to huff and puff and blow your house down. You need to slow the tide. One of the first things you can do is start refusing the traffic. A simple torch normally shows many of the attacking IPs, are from APNIC. If this is the case, we enable a firewall rule that says if the IP is not sourced from the below “ARIN” address list go ahead and drop it.
add chain=forward comment="WebServer ACL" dst-address=1.2.3.4 src-address-list=!ARIN action=drop
The above rule says if our attacked host is being contacted by anything not on the “ARIN” list go ahead and drop it.
Make sure to paste this into /ip firewall address-list . These were copied off the ARIN web-site as of this writing. APNIC and other registries all have similar lists. Keep in mind, this won’t stop the traffic from coming to you, but will shield you some in order to have a somewhat functional network while you track down the issues.
Some people will say to blackhole the IP via a BGP blackhole server, but if you have production machines on the attacked host taking them offline for the entire world could be a problem. This way, you are at least limiting who can talk to them.
add address=23.0.0.0/8 list=ARIN add address=24.0.0.0/8 list=ARIN add address=45.16.0.0/12 list=ARIN add address=45.32.0.0/11 list=ARIN add address=45.72.0.0/13 list=ARIN add address=50.0.0.0/8 list=ARIN add address=63.0.0.0/8 list=ARIN add address=64.0.0.0/8 list=ARIN add address=65.0.0.0/8 list=ARIN add address=66.0.0.0/8 list=ARIN add address=67.0.0.0/8 list=ARIN add address=68.0.0.0/8 list=ARIN add address=69.0.0.0/8 list=ARIN add address=70.0.0.0/8 list=ARIN add address=71.0.0.0/8 list=ARIN add address=72.0.0.0/8 list=ARIN add address=73.0.0.0/8 list=ARIN add address=74.0.0.0/8 list=ARIN add address=75.0.0.0/8 list=ARIN add address=76.0.0.0/8 list=ARIN add address=96.0.0.0/8 list=ARIN add address=97.0.0.0/8 list=ARIN add address=98.0.0.0/8 list=ARIN add address=99.0.0.0/8 list=ARIN add address=100.0.0.0/8 list=ARIN add address=104.0.0.0/8 list=ARIN add address=107.0.0.0/8 list=ARIN add address=108.0.0.0/8 list=ARIN add address=135.0.0.0/8 list=ARIN add address=136.0.0.0/8 list=ARIN add address=142.0.0.0/8 list=ARIN add address=147.0.0.0/8 list=ARIN add address=162.0.0.0/8 list=ARIN add address=166.0.0.0/8 list=ARIN add address=172.0.0.0/8 list=ARIN add address=173.0.0.0/8 list=ARIN add address=174.0.0.0/8 list=ARIN add address=184.0.0.0/8 list=ARIN add address=192.0.0.0/8 list=ARIN add address=198.0.0.0/8 list=ARIN add address=199.0.0.0/8 list=ARIN add address=204.0.0.0/8 list=ARIN add address=205.0.0.0/8 list=ARIN add address=206.0.0.0/8 list=ARIN add address=207.0.0.0/8 list=ARIN add address=208.0.0.0/8 list=ARIN add address=209.0.0.0/8 list=ARIN add address=216.0.0.0/8 list=ARIN