MikroTik

Hi everyone,

We have a very strange problem going on, it could be because of some misconfiguration. Any small guide or idea will be really appreciated.

We have 2 upstream ebgp peering sessions. Both upstream gave us /30 PTP IP to be configured on our end.

The problem is we are seeing almost 200 - 300Mbps and at times upto 500-600Mbps inbound traffic [assuming ddos] on the IP assigned to us by the upstream. If we turn off upstream 1 ebgp session, disable the vlan on which the service is configured.. After 3-5 mins the attack is on the 2nd upstream PTP IP assigned to us which is running the bgp session.

If i torch the interface:
protocol is udp
remote port is 100
destination port is 443 https

If its our IP or network, we can advertise /32 to blackhole community.

This is on the edge router, nothing going inwards towards our network and customers where we have ibgp session with the edge-router. However sometimes these hits and ddos traffic takes down the entire sessions, cpu 100% on the edge router.

connection tracking is off
we have raw filters, seached many forums and guides.

Once again any help or guide will be really appreciated.

If it's actually a DDoS, you can't fix it at the endpoint. It'd be like trying to stop someone from choking by clamping their esophageal sphincters shut. You have to stop new material from entering the mouth, the border gateway in this analogy.

This is why there are services such as CloudFlare DDoS Protection: they've got much bigger pipes than you, so they can absorb the excess.

If you think it's BGP misconfiguration, then show your configuration. We aren't going to just guess.

It would also be useful to get a distribution of the source IPs for these connections. It matters whether they're all from China Mobile, or all from South America, or all from around the world.