Firewall RAW – Mitigate TCP Syn Attack

Now I have to discuss about Firewall Raw. Something you may have seen when you go to IP/Firewall on MikroTik:

The question that may come to your mind: What is the Firewall Raw and what differs from the Firewall Filter Rules that we have been discussing about it in the whole book.

Well, the answer is as follows: Firewall Raw can do filtering on packets reaching the MikroTik RouterOS device before it reaches the connection tracking. As we have seen before, the MikroTik RouterOS is a stateful firewall which keeps tracking on all connections passing, which is something very good. But the problem here is that in case you have a DOS attack like TCP Syn attack, then the MikroTik RouterOS will keep in its connection tracking table all those entries issued from that attack causing the router CPU to go to 100% (something we have seen it when we were speaking in this book about the TCP Syn attack).

To avoid this, you can apply your firewall rules against the TCP Syn attack on the Firewall Raw, this way the router will drop the TCP syn attack packets before they reach to the connection tracking, and this would help that our router keeps having a better CPU performance. However, I should mention that the firewall itself consumes as well a lot of resources from the CPU, that’s why I always advise that you implement a big MikroTik devices as a firewall which can have many core CPU’s and a large memory (preferably a RouterOS image installed on a server blade).

The other question that you may ask: how did we decide that Firewall Raw works before the connection reaches the connection tracking?

Well here, we can go to the subprocesses of the routing box in the packet flow diagram and we can so the following:

We do have 2 chains where we can apply Firewall Raw rules:

  • Prerouting chain
  • Output chain

And that’s something I can show it clearly on Winbox when I open a Raw rule, you can see we do have only 2 possibilities to use as chains: Prerouting and Output:

If you look carefully at each of the chains, you see that Raw always comes before the connection tracking. That’s why we can drop packets on the Firewall Raw before they reach the connection tracking and exhaust our MikroTik router.

Now we know the theory, let’s apply a LAB to see how we can protect our MikroTik router from TCP Syn attack but this time using the Firewall Raw.


LAB: Firewall RAW against TCP Syn Attack

Back to the scenario where the attacker is sitting on the internet and wishes to issue a syn flood attack against our MikroTik router. I am not going to explain again about this type of attack because I have already done this previously in this book. Also, we already know that if the attacker issues the syn flood attack, then the CPU of the MikroTik router goes to 100% and we will have a huge list of TCP entries in the connection tracking (something we have seen previously).

Let’s focus now by working on the firewall raw rules to protect from this type of attack:

This is the 1st raw rule that I have created. It says that any TCP syn traffic that the router will detect coming to the interface Ether1 and it has the flag as Syn, then if it is maximum 405 packets per second, let it go.

Now I need to do another rule to say that anything else, let it be dropped:

As a result, I have now the following 2 Firewall raw rules:

Let’s run the TCP Syn flood attack from Kali Linux and see its effect on the MikroTik router. Remember, we may see 405 entries in the connection tracking from the DOS attack that we will be running (maybe 405 is too big, I will make it less just so we can recognize this the open connection inside the connection tracking table).

Here it is. Still my CPU is going high by the way because I am using a small Hap lite AC router, but in your case, you should have a bigger MikroTik router and you will see that with such an attack your CPU will have less usage when using firewall Raw rules compared to the normal firewall filter rules.

Let’s see if the rules were working and if the DOS attack was blocked by the rule which drop the TCP syn attack:

Indeed, it is blocking the attack (look at the bytes/packets how much they were increased).

This is all what I wanted to explain about the Firewall Raw, let me just provide you with the script of the Raw rules:

/ip firewall raw

add action=accept chain=prerouting in-interface=ether1 limit=400,5:packet protocol=tcp tcp-flags=syn

add action=drop chain=prerouting in-interface=ether1 protocol=tcp tcp-flags=syn


Submit a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Please Login to Reply or add a comment!