My friend Andrew worked with FastNetMon and Mikrotik a lot discovering and correcting bugs.
----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Josh Baird" <[email protected]> To: [email protected] Sent: Monday, April 2, 2018 4:57:51 PM Subject: Re: [AFMUG] DDOS protection +1 for FastNetMon. They also just announced this: "FastNetMon passed # Mikrotik compatibility # certification ! Check our entry in MFA (made for MikroTik) list: https://mikrotik.com/mfm/software # FastNetMon # MFA # DDoS # protectiontool # security # news Order free trial for FastNetMon: https://fastnetmon.com/trial/ " On Mon, Apr 2, 2018 at 5:21 PM, Mike Hammett < [email protected] > wrote: You don't need to reinvent the wheel. FastNetMon. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "castarritt ." < [email protected] > To: [email protected] Sent: Monday, April 2, 2018 4:18:50 PM Subject: Re: [AFMUG] DDOS protection We are working on a Mikrotik method of automatic detection and mitigation based on a firewall rule adding addresses to a list that are getting a certain number of packets per second, and then a script that adds that /32 to BGP networks for advertisement with the correct black hole community (HE.net), or black hole server (Cogent). It works in a lab setting, but we haven't had an attack since implementing the detection side only to our edge router. On Mon, Apr 2, 2018 at 3:16 PM, Mathew Howard < [email protected] > wrote: <blockquote> Yeah, something like that seems kind of pointless... even with 10Gbps, there's a good chance it's going to just overload your upstreams anyway, and just about any DDoS attack worth mentioning is going to kill 1Gbps these days. DDoS mitigation on your upstreams would seem like a better way to go to me. On Mon, Apr 2, 2018 at 3:08 PM, Seth Mattinen < [email protected] > wrote: <blockquote> On 4/2/18 11:12, Paul McCall wrote: <blockquote> Anybody used a device like this at Layer 2 in between your core and an upstream?�� Purpose: Protection / Mitigation of DDOS attacks. http://www.serveru.us/en/ We have 1 Gbit interfaces currently, but that will jump up to 10Gbit interfaces soon. Nowadays DDoS attacks can easily surpass 10Gbps, so I don't see the point of trying to do any on-net scrubbing unless you can bring more bandwidth to bear than the attacker can. </blockquote> </blockquote> </blockquote>
