├── LICENSE ├── README.md └── mt-anti-ddos.rsc /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Łukasz Kopiszka 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # mt-anti-ddos-script 2 | Mikrotik script which detects DDoS attacks 3 | 4 | More info and where it begin: https://ispforum.pl/index.php?topic=12966.0 5 | -------------------------------------------------------------------------------- /mt-anti-ddos.rsc: -------------------------------------------------------------------------------- 1 | /interface bridge 2 | add mtu=1500 name=mirror 3 | /interface vlan 4 | add interface=sfp1 l2mtu=1586 name=vlan10 vlan-id=10 5 | add interface=sfp1 l2mtu=1586 name=vlan11 vlan-id=11 6 | /routing bgp instance 7 | set default as=64496 out-filter=bgp-blackhole-out router-id=10.11.11.11 8 | /system logging action 9 | set 0 memory-lines=10000 10 | /interface bridge port 11 | add bridge=mirror interface=sfpplus1 12 | /interface bridge settings 13 | set use-ip-firewall=yes use-ip-firewall-for-vlan=yes 14 | /ip firewall connection tracking 15 | set enabled=no 16 | /ip address 17 | add address=10.10.10.10/24 interface=vlan10 18 | add address=10.11.11.11/24 interface=vlan11 19 | /ip firewall address-list 20 | add address=1.2.3.4 list=PASS 21 | add address=5.6.7.8 list=DDOSOWANI 22 | /ip firewall mangle 23 | add chain=prerouting comment="wybij PASS z blackhole" dst-address-list=PASS 24 | add chain=prerouting comment="TCP 20tys pkt na dst" dst-limit=\ 25 | 10000,10000,dst-address in-bridge-port=sfpplus1 protocol=tcp 26 | add chain=prerouting comment="TCP 20tys pkt na dst" dst-limit=\ 27 | 10000,10000,dst-address in-bridge-port=sfpplus1 protocol=tcp 28 | add chain=prerouting comment="TCP 20tys pkt na dst" dst-limit=\ 29 | 10000,10000,dst-address in-bridge-port=sfpplus1 protocol=tcp 30 | add chain=prerouting comment="ICMP 20tys pkt na dst" dst-limit=\ 31 | 10000,10000,dst-address in-bridge-port=sfpplus1 protocol=icmp 32 | add chain=prerouting comment="20tys pkt na dst" dst-limit=\ 33 | 10000,10000,dst-address in-bridge-port=sfpplus1 34 | add chain=prerouting comment="20tys pkt na dst" dst-limit=\ 35 | 10000,10000,dst-address in-bridge-port=sfpplus1 36 | add chain=prerouting comment="20tys pkt na dst" dst-limit=\ 37 | 10000,10000,dst-address in-bridge-port=sfpplus1 38 | add chain=prerouting comment="20tys pkt na dst" dst-limit=\ 39 | 10000,10000,dst-address in-bridge-port=sfpplus1 40 | add action=mark-packet chain=prerouting in-bridge-port=sfpplus1 \ 41 | new-packet-mark=DDOS 42 | add action=log chain=prerouting dst-limit=1/1m,0,src-and-dst-addresses \ 43 | log-prefix=DDOS: packet-mark=DDOS 44 | add action=add-dst-to-address-list address-list=DDOSOWANI \ 45 | address-list-timeout=5m chain=prerouting dst-limit=1/1m,0,dst-address \ 46 | packet-mark=DDOS 47 | /routing bgp peer 48 | add in-filter=bgp-blackhole-in multihop=yes name=router_bgp1 out-filter=\ 49 | bgp-blackhole-out remote-address=10.11.11.1 remote-as=64496 ttl=\ 50 | default 51 | add in-filter=bgp-blackhole-in multihop=yes name=router_bgp2 out-filter=\ 52 | bgp-blackhole-out remote-address=10.11.11.2 remote-as=64496 ttl=\ 53 | default 54 | /routing filter 55 | add action=accept append-bgp-communities=64496:997 chain=bgp-blackhole-out \ 56 | set-in-nexthop=192.168.192.168 57 | add action=discard chain=bgp-blackhole-in 58 | /system scheduler 59 | add interval=4s name=blackhole on-event="/system script run update-blackhole" \ 60 | policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \ 61 | start-time=startup 62 | /system script 63 | add name=update-blackhole owner=admin policy=\ 64 | ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#:log i\ 65 | nfo \"BGP Blackhole updater starting\";\r\ 66 | \n\r\ 67 | \n:local refresh;\r\ 68 | \n:set refresh false;\r\ 69 | \n\r\ 70 | \n# Add addresses to BGP networks\r\ 71 | \n:foreach address in=[/ip firewall address-list find list=DDOSOWANI disab\ 72 | led=no] do={\r\ 73 | \n :local id;\r\ 74 | \n :set id [/ip firewall address-list get \$address address]\r\ 75 | \n\r\ 76 | \n :local rtExists;\r\ 77 | \n :set rtExists false;\r\ 78 | \n\r\ 79 | \n :foreach nets in=[/routing bgp network find network=\"\$id/32\"] do={\r\ 80 | \n :set rtExists true;\r\ 81 | \n :put \"\$id already in BGP networks\"; \r\ 82 | \n }\r\ 83 | \n :if (\$rtExists = false) do={\r\ 84 | \n /routing bgp network add network=\"\$id/32\" synchronize=no;\r\ 85 | \n :set refresh true;\r\ 86 | \n :put \"\$id added to BGP networks\";\r\ 87 | \n /tool e-mail send to=\"noc@domena.pl\" subject=\"Moja siec BGP blackho\ 88 | le update - \$id added for 5 min\" from=notice@domena.pl server=3.4.\ 89 | 5.6 body=\"IP \$id dodane na 5 min\"\r\ 90 | \n } \r\ 91 | \n}\r\ 92 | \n\r\ 93 | \n# Remove addresses from BGP networks that are not in ACL\r\ 94 | \n:foreach route in=[/routing bgp network find synchronize=no] do={\r\ 95 | \n :local addr;\r\ 96 | \n :set addr [/routing bgp network get \$route network]\r\ 97 | \n \r\ 98 | \n :local addrsize;\r\ 99 | \n :set addrsize [:len \$addr]\r\ 100 | \n :set addr [ :pick \$addr 0 (\$addrsize-3) ];\r\ 101 | \n \r\ 102 | \n :local aclExists;\r\ 103 | \n :set aclExists false;\r\ 104 | \n \r\ 105 | \n :foreach addrs in=[/ip firewall address-list find list=DDOSOWANI addres\ 106 | s=\$addr disabled=no] do={\r\ 107 | \n :set aclExists true;\r\ 108 | \n :put \"\$addr still listed in ACL\";\r\ 109 | \n }\r\ 110 | \n :if (\$aclExists = false) do={\r\ 111 | \n :local netid;\r\ 112 | \n :set netid [/routing bgp network find network=\"\$addr/32\"]\r\ 113 | \n \r\ 114 | \n /routing bgp network remove \$netid;\r\ 115 | \n :set refresh true;\r\ 116 | \n \r\ 117 | \n :put \"\$addr removed from BGP networks\";\r\ 118 | \n #/tool e-mail send to=\"noc@domena.pl\" subject=\"Moja siec BGP blackho\ 119 | le update - \$addr removed\" from=notice@domena.pl server=3.4.5.6\ 120 | body=\"IP \$addr removed\"\r\ 121 | \n }\r\ 122 | \n}\r\ 123 | \n:if (\$refresh = true) do={\r\ 124 | \n#:log info \"BGP Blackhole updater triggered BGP peer resend-all\"\r\ 125 | \n:put \"Doing BGP peer resend-all\"\r\ 126 | \n/routing bgp peer resend-all\r\ 127 | \n}\r\ 128 | \n#:log info \"BGP Blackhole updater finished\";\r\ 129 | \n" 130 | --------------------------------------------------------------------------------