{"id":11871,"date":"2023-04-04T23:39:16","date_gmt":"2023-04-05T06:39:16","guid":{"rendered":"https:\/\/www.xh86.me\/?p=11871"},"modified":"2023-04-04T23:39:16","modified_gmt":"2023-04-05T06:39:16","slug":"mikrotik-routeros-v7%e5%8a%a8%e6%80%81%e9%98%b2%e5%be%a1ddos%e5%92%8ccc%e6%94%bb%e5%87%bb%e7%9a%84%e8%84%9a%e6%9c%ac","status":"publish","type":"post","link":"https:\/\/www.xh86.me\/?p=11871","title":{"rendered":"MikroTik RouterOS v7\u52a8\u6001\u9632\u5fa1DDOS\u548cCC\u653b\u51fb\u7684\u811a\u672c"},"content":{"rendered":"<p># \u914d\u7f6eIP\u9ed1\u540d\u5355<br \/>\n\/ip firewall address-list<br \/>\nadd address=0.0.0.0\/8 comment=&#8221;This network is used for testing&#8221; disabled=yes list=DDOS<br \/>\nadd address=10.0.0.0\/8 comment=&#8221;Private network&#8221; disabled=yes list=DDOS<br \/>\nadd address=127.0.0.0\/8 comment=&#8221;Loopback network&#8221; disabled=yes list=DDOS<br \/>\nadd address=169.254.0.0\/16 comment=&#8221;Link-local network&#8221; disabled=yes list=DDOS<br \/>\nadd address=172.16.0.0\/12 comment=&#8221;Private network&#8221; disabled=yes list=DDOS<br \/>\nadd address=192.0.2.0\/24 comment=&#8221;Documentation (TEST-NET-1)&#8221; disabled=yes list=DDOS<br \/>\nadd address=192.168.0.0\/16 comment=&#8221;Private network&#8221; disabled=yes list=DDOS<br \/>\nadd address=198.18.0.0\/15 comment=&#8221;Used for benchmark testing of inter-network communications&#8221; disabled=yes list=DDOS<br \/>\nadd address=198.51.100.0\/24 comment=&#8221;Documentation (TEST-NET-2)&#8221; disabled=yes list=DDOS<br \/>\nadd address=203.0.113.0\/24 comment=&#8221;Documentation (TEST-NET-3)&#8221; disabled=yes list=DDOS<br \/>\nadd address=224.0.0.0\/4 comment=&#8221;Multicast network&#8221; disabled=yes list=DDOS<br \/>\nadd address=240.0.0.0\/4 comment=&#8221;Reserved for future use&#8221; disabled=yes list=DDOS<\/p>\n<p># \u914d\u7f6e\u52a8\u6001DDOS\u653b\u51fb\u9632\u5fa1\u89c4\u5219<br \/>\n\/ip firewall filter<br \/>\nadd action=add-src-to-address-list address-list=DDOS address-list-timeout=1m chain=input comment=&#8221;Block invalid connections&#8221; connection-state=invalid<br \/>\nadd action=add-src-to-address-list address-list=DDOS address-list-timeout=10m chain=input comment=&#8221;Block TCP SYN flood&#8221; connection-limit=30,32 connection-state=new protocol=tcp tcp-flags=syn<br \/>\nadd action=add-src-to-address-list address-list=DDOS address-list-timeout=10m chain=input comment=&#8221;Block UDP flood&#8221; protocol=udp<br \/>\nadd action=add-src-to-address-list address-list=DDOS address-list-timeout=10m chain=input comment=&#8221;Block ICMP flood&#8221; protocol=icmp<br \/>\nadd action=add-src-to-address-list address-list=DDOS address-list-timeout=1h chain=input comment=&#8221;Block IP spoofing&#8221; src-address-list=DDOS src-address=!192.168.0.0\/16<\/p>\n<p># \u914d\u7f6e\u52a8\u6001CC\u653b\u51fb\u9632\u5fa1\u89c4\u5219<br \/>\n\/ip firewall filter<br \/>\nadd action=add-src-to-address-list address-list=CC-ATTACK address-list-timeout=10s chain=forward comment=&#8221;Block excessive connections from a single IP&#8221; connection-state=new limit-at=50\/1m,30 protocol=tcp<br \/>\nadd action=add-src-to-address-list address-list=CC-ATTACK address-list-timeout=1m chain=forward comment=&#8221;Add IP to blacklist after excessive connections&#8221; connection-state=new dst-port=80,443 protocol=tcp src-address-list=CC-ATTACK<br \/>\nadd action=drop chain=forward comment=&#8221;Drop connections from blacklisted IPs&#8221; src-address-list=CC-ATTACK<\/p>\n","protected":false},"excerpt":{"rendered":"<p># \u914d\u7f6eIP\u9ed1\u540d\u5355 \/ip firewall address-list add address=0.0.0.0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,2],"tags":[],"class_list":["post-11871","post","type-post","status-publish","format-standard","hentry","category-mikrotik","category-network"],"_links":{"self":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/11871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11871"}],"version-history":[{"count":1,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/11871\/revisions"}],"predecessor-version":[{"id":11872,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/11871\/revisions\/11872"}],"wp:attachment":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}