Yes, efficiency was what I was asking. I use address lists extensively
but the lists are small, never more than a few hundred entries. I was
wondering as the list grew to 150-200K entries if it would still be as
efficient. We will be extending this drop list to 14 days from 3.
Thanks, Dave
On 12/4/2012 2:59 PM, [email protected] wrote:
Send Mikrotik mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://www.butchevans.com/mailman/listinfo/mikrotik
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Mikrotik digest..."
Today's Topics:
1. Re: DOS attack question (Butch Evans)
2. Re: DOS attack question (Josh Luthman)
3. Managing traffic on management ports (Ty Featherling)
4. Re: DOS attack question (Butch Evans)
5. Re: DOS attack question (Josh Luthman)
6. Re: Managing traffic on management ports (Butch Evans)
7. Re: DOS attack question (Butch Evans)
8. Re: Managing traffic on management ports (Ty Featherling)
----------------------------------------------------------------------
Message: 1
Date: Tue, 04 Dec 2012 12:58:27 -0600
From: Butch Evans <[email protected]>
Subject: Re: [Mikrotik] DOS attack question
To: Mikrotik discussions <[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
On Tue, 2012-12-04 at 11:35 -0500, David Hulsebus wrote:
We've had someone sending network attacks on us over the last few days.
We are blocking 15K + IP addresses each 24 hours and and have an address
list that has grown to more than 45K since Sunday morning. I do see my
CPU usage hasn't really grown beyond 10% - it usually runs 6-8%. Which
brings me to the question. At that scale are address list look-ups more
efficient than multiple rules? Or is there a difference ? I am looking
at increasing the blocked time from 3 days to 14.
Address lists are much more efficient than multiple rules. For example:
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=nossh
action=drop
The above is MUCH more efficient with an address list of 100 IPs than it
would be to have 100 rules of dropping dst-port tcp/22. I am assuming
this is the question you are asking. NOTE that this is just an example
and NOT the best way to handle input rules to manage traffic on port 22
or any other management port.
--
David Hulsebus
Portative Technologies, LLC
1995 Allison Lane, Suite 100
Corydon, IN 47112
812-738-7007
www.portative.com
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
