133581396 Traffic Control Training Course

7/27/2019 133581396 Traffic Control Training Course

http://slidepdf.com/reader/full/133581396-traffic-control-training-course 1/142

© MikroTik 2009

M ik r o T i k R o u t e r OS Tr a i n i n g

Tr a f f i c Co n t r o l



© MikroTik 2009 2

Schedule

09:00 – 10:30 Morning Session I10:30 – 11:00 Morning Break

11:00 – 12:30 Morning Session II

12:30 – 13:30 Lunch Break13:30 – 15:00 Afternoon Session I

15:00 – 15:30 Afternoon Break

15:30 – 17:00 (18.00) Afternoon Session II



© MikroTik 2009 3

Instructors

Sergejs Boginskis, MikroTik

Support Engineer for 3 years

Specialization: Hotspot, IPSec, Routing, Wireless,

User Manager, Firewall



© MikroTik 2009 4

Housekeeping

Course materialsRouters, cables

Break times and lunch

Restrooms and smoking area locations



© MikroTik 2009 5

Course Objective

Provide knowledge and hands-on training for MikroTik RouterOS basic and advanced trafficcontrol capabilities for any size networks

Upon completion of the course you will be ableto plan, implement, adjust and debug trafficcontrol configurations implemented by MikroTikRouterOS.



© MikroTik 2009 6

Introduce Yourself

Please, introduce yourself to the classYour name

Your Company

Your previous knowledge about RouterOSYour previous knowledge about networking

What do you expect from this course?

Please, remember your class XY number.(X is number of the row, Y is your seat number in the row)

My number is:_________



© MikroTik 2009 7

Class Setup Lab

Create an 192.168.XY.0/24 Ethernet networkbetween the laptop (.1) and the router (.254)

Connect routers to the AP SSID “ap_RB_adv”

Assign IP address 10.1.1.XY/24 to the wlan1Main GW and DNS address is 10.1.1.254

Gain access to the internet from your laptops

via local router Create new user for your router and change“admin” access rights to “read”



© MikroTik 2009 8

Class Setup



© MikroTik 2009 9

Class setup Lab (cont.)

Set system identity of the board and wirelessradio name to “XY_<your_name>”. Example:“00_Janis”

Upgrade your router to the latest MikrotikRouterOS version 3.x

Upgrade your Winbox loader version

Set up NTP client – use 10.1.1.254 as server

Create a configuration backup and copy it tothe laptop (it will be default configuration)



© MikroTik 2009 10

Small ISP

First Clients:“Just connect us to the Internet”Situation:Only one public IP address,

ISP don't have DNS server

and have periodical virus

problems in the network

Requirements:● Masquerade● Basic IP filter

Requirements:● DHCP server● DNS cache● Port forwarding● uPnP

Web-server



© MikroTik 2009 11

DNS Client and Cache



© MikroTik 2009 12

DNS Client and Cache

DNS client is used only by router in case of web-proxy or hotspot configuration

Enable “Allow Remote Requests” option totransform DNS client into DNS cache

DNS cache allows to use your router instead of remote DNS server, as all caches - it minimizesresolution time

DNS cache also can act as DNS server for localarea network address resolution



© MikroTik 2009 13

Static DNS Entry

Each Static DNS entry will add or override(replace existing) entry in the DNS cache



© MikroTik 2009 14

DNS Cache Lab

Configure your router as DNS cache. Use10.1.1.254 as primary server

Add static DNS entry “www.XY.com” to your router's Local IP address (XY – your number)

Add static DNS entry “www.XY.com” toneighbour router's Public IP address (XY –your neighbours number)

Change your laptops DNS server address toyour routers address

Try the configuration and monitor cache list



© MikroTik 2009 15

DHCP

The Dynamic Host Configuration Protocol isused for dynamic distribution of network settingsuch as:

IP address and netmask

Default gateway address

DNS and NTP server addresses

More than 100 other custom option (supported only

by specific DHCP clients)DHCP is basically insecure and should only beused in trusted networks



© MikroTik 2009 16

DHCP Communication scenario

DHCP Discoverysrc-mac=<client>, dst-mac=<broadcast>, protocol=udp,src-ip=0.0.0.0:68, dst-ip=255.255.255.255:67

DHCP Offer

src-mac=<DHCP-server>, dst-mac=<broadcast>, protocol=udp,src-ip=<DHCP-server>:67, dst-ip=255.255.255.255:67

DHCP Request

src-mac=<client>, dst-mac=<broadcast>, protocol=udp,

src-ip=0.0.0.0:68, dst-ip=255.255.255.255:67

DHCP Acknowledgement

src-mac=<DHCP-server>, dst-mac=<broadcast>, protocol=udp,src-ip=<DHCP-server>:67, dst-ip=255.255.255.255:67



© MikroTik 2009 17

DHCP Client Identification

DHCP server are able to track lease associationwith particular client based on identification

The identification can be achieved in 2 ways

Based on “caller-id” option (dhcp-client-identifiefrom RFC2132)

Based on MAC address, if “caller-id” option is notspecified

“hostname” option allow RouterOS clients tosend additional identification to the server, bydefault it is “system identity” of the router



© MikroTik 2009 18

DHCP Client



© MikroTik 2009 19

DHCP Server

There can be only one DHCP server per interface/relay combination on the router

To create DHCP server you must have

IP address on desired DHCP server interface Address pool for clients

Information about planned DHCP network

All 3 options must correspond

“Lease on Disk” should be used to reducenumber of writes to the drive (useful with flashdrives)



© MikroTik 2009 20

DHCP Networks

In DHCP Networks menu you can configurespecific DHCP options for particular network.

Same of the options are integrated intoRouterOS, others can be assigned in raw form(specified in RFCs)

Additional information at:http://www.iana.org/assignments/bootp-dhcp-parameters

DHCP server is able to send out any optionDHCP client can receive only implementedoptions



© MikroTik 2009 21

DHCP Options

Implemented DHCP optionsSubnet-Mask (option 1) - netmask

Router (option 3) - gateway

Domain-Server (option 6) - dns-server

Domain-Name (option 15) - domainNTP-Servers (option 42) - ntp-server

NETBIOS-Name-Server (option 44) - wins-server

Custom DHCP options (Example:)

Classless Static Route (option 121) -“0x100A270A260101” = “network=10.39.0.0/16gateway=10.38.1.1”



© MikroTik 2009 22

Custom DHCP Option



© MikroTik 2009 23

IP Address Pool

IP address pools are used to define range of IPaddresses for dynamic distribution (DHCP,PPP, Hotspot)

Address pool must exclude already occupied

addresses (such as server or static addresses)

It is possible to assign more that one range tothe pool

It is possible to chain several pools together byusing “Next Pool” option



© MikroTik 2009 24

IP Address Pools



© MikroTik 2009 25

Address Pool in Action



© MikroTik 2009 26

Other DHCP Server Settings

Src.address – specifies DHCP servers addressif more than one IP on DHCP server's interface

Delay Threshold – prioritize one DHCP server over another (bigger delay less priority)

Add ARP For Leases – allow to add ARPentries for leases if interface ARP=reply-only

Always Broadcast – allow communication with

non-standard clients like pseudo-bridges

Bootp Support, Use RADIUS – (obvious)



© MikroTik 2009 27

Authoritative DHCP Server

Authoritative – allow DHCP server to reply onunknown client's broadcast and ask client torestart the lease(client send broadcasts only if unicast to the

server fails when renewing the lease) Authoritative allow to:

Prevent rouge DHCP server operations

Faster network adaptation to DHCP configurationchanges



© MikroTik 2009 28

DHCP Server



© MikroTik 2009 29

DHCP Relay

DHCP Relay is just a proxy that is able toreceive a DHCP discovery and request andresend them to the DHCP server

There can be only one DHCP relay between

DHCP server and DHCP client

DHCP communication with relay does notrequire IP address on the relay, but relay's

“local address” option must be the same withserver's “relay address” option



© MikroTik 2009 30

DHCP Relay



© MikroTik 2009 31

DHCP Lab

Interconnect with your neighbour using Ethernetcable

Create 3 independent setups:

Create DHCP server for your laptop

Create DHCP server and relay for your neighbour laptop (use relay option)

Create a bridged network with 2 DHCP servers and

2 DHCP clients (laptops) and try out “authoritative”and “delay threshold” options



© MikroTik 2009 32

Firewall Filters Structure

Firewall filter rules are organized in chainsThere are default and user-defined chains

There are three default chains

input – processes packets sent to the router output – processes packets sent by the router

forward – processes packets sent through therouter

Every user-defined chain should subordinate toat least one of the default chains



© MikroTik 2009 33

Firewall Filter Structure Diagram



© MikroTik 2009 34

Connection Tracking

Connection Tracking (or Conntrack) system isthe heart of firewall, it gathers and managesinformation about all active connections.

By disabling the conntrack system you will lose

functionality of the NAT and most of the filter and mangle conditions.

Each conntrack table entry represents

bidirectional data exchangeConntrack takes a lot of CPU resources (disableit, if you don't use firewall)



© MikroTik 2009 35

Conntrack Placement



© MikroTik 2009 36

Conntrack – Winbox View



© MikroTik 2009 37

Condition: Connection State

Connection state is a status assigned to eachpacket by conntrack system:

New – packet is opening a new connection

Established – packet belongs to already known

connectionInvalid – packet does not belong to any of theknown connections

Related – packet is also opening a new connection,

but it is in some kind relation to already knownconnection

Connection state ≠ TCP state



© MikroTik 2009 38

First Rule Example



© MikroTik 2009

Ch a in In p u t

Protection of the router – allowing only necessaryservices from reliable source with agreeable load.



© MikroTik 2009 40

Connection State Lab

Create 3 rules to ensure that only connection-state new packets will proceed through theinput filter

Drop all connection-state invalid packets

Accept all connection-state related packets

Accept all connection-state established packets

Create 2 rules to ensure that only you will be

able to connect to the router Accept all packets from your local network

Drop everything else

R t OS 3 S i



© MikroTik 200941

RouterOS v3 Services

R t OS S i L b



© MikroTik 2009 42

RouterOS Service Lab

Create a chain “services”Create rules to allow necessary RouterOSservices to be accessed from the public network

Create a “jump” rule from the chain “input” to thechain “services”

Place a “jump” rule accordingly

Write comment for each firewall rule

Ask your neighbour to check the setup



© MikroTik 2009

Ch a in F o r w a r d

Protection of the customers from the viruses andprotection of the Internet from the customers

Vi P t Filt



© MikroTik 2009 44

Virus Port Filter

At the moment the are few hundreds activetrojans and less than 50 active worms

You can download the complete “virus portblocker” chain (~330 drop rules with ~500

blocked virus ports) fromftp://[email protected]

Some viruses and trojans use standard services

ports and can not be blocked.

Ch i F d L b



© MikroTik 2009 45

Chain Forward Lab

Create 3 rules to ensure that only connection-state new packets will proceed through theinput filter

Drop all connection-state invalid packets

Accept all connection-state related packets

Accept all connection-state established packets

Import the viruses.rsc file into the router

Create a jump rule to the chain “viruses”

Bogon IPs



© MikroTik 2009 46

Bogon IPs

There are ~4,3 billion IPv4 addressesThere are several IP ranges restricted in publicnetwork

There are several of IP ranges reserved (notused at the moment) for specific purposes

There are lots of unused IP ranges!!!

You can find information about all unused IPranges at:http://www.completewhois.com/bogons/

Address List Options



© MikroTik 2009 47

Address List Options

Instead of creatingone filter rule for eachIP network address,you can create only

one rule for IPaddress list.

Use “Src./Dst. Address List” options

Create an addresslist in “/ip firewalladdress-list” menu

Address List Lab



© MikroTik 2009 48

Address List Lab

Make an address list of most common bogonIPs

Adv Address Filtering Lab



© MikroTik 2009 49

Adv. Address Filtering Lab

Allow packets to enter your network only fromthe valid Internet addresses

Allow packets to enter your network only to thevalid customer addresses

Allow packets to leave your network only fromthe valid customers addresses

Allow packets to leave your network only to the

valid Internet addressesPlace the rules accordingly



© MikroTik 2009

N e t w o r k A d d r e s s Tr a n s la t i o n

(N A T)

Destination NAT, Source NAT, NAT traversal

NAT Types



© MikroTik 2009 51

NAT Types

As there are two IP addresses and ports in anIP packet header, there are two types of NAT

The one, which rewrites source IP address and/or port is called source NAT (src-nat)

The other, which rewrites destination IP addressand/or port is called destination NAT (dst-nat)

Firewall NAT rules process only the first packetof each connection (connection state “new”

packets)

Firewall NAT Structure



© MikroTik 2009 52

Firewall NAT Structure

Firewall NAT rules are organized in chains

There are two default chains

dstnat – processes traffic sent to and through therouter, before it divides in to “input” and “forward”

chain of firewall filter.srcnat – processes traffic sent from and through therouter, after it merges from “output” and “forward”chain of firewall filter.

There are also user-defined chains

IP Firewall Diagram



© MikroTik 2009 53

IP Firewall Diagram

Dst-nat



© MikroTik 2009 54

Dst-nat

Action “dst-nat” changes packet's destinationaddress and port to specified address and port

This action can take place only in chain dstnat

Typical application: ensure access to localnetwork services from public network

Dst-nat Rule Example



© MikroTik 2009 55

Dst-nat Rule Example

Redirect



© MikroTik 2009 56

Redirect

Action “redirect” changes packet's destinationaddress to router's address and specified port

This action can take place only in chain dstnat

Typical application: transparent proxying of network services (DNS,HTTP)

Redirect Rule Example



© MikroTik 2009 57

Redirect Rule Example

Redirect Lab



© MikroTik 2009 58

Redirect Lab

Capture all TCP and UDP port 53 packetsoriginated from your private network192.168.XY.0/24 and redirect them to the router itself.

Set your laptops DNS server to the random IPaddress

Clear your router's and your browser's DNScache

Try browsing the Internet

Take a look at DNS cache of the router

Dst-nat Lab



© MikroTik 2009 59

Dst nat Lab

Capture all TCP port 80 (HTTP) packetsoriginated from your private network192.168.XY.0/24 and change destinationaddress to 10.1.2.1 using dst-nat rule

Clear your browser's cache on the laptopTry browsing the Internet

Universal Plug-and-Play



© MikroTik 2009 60

Universal Plug and Play

RouterOS allow to enable uPnP support for therouter.

UPnP allow to establish both-directionalconnectivity even if client is behind the NAT,

client must have uPnP supportThere are two interface types for UPnP-enabledrouter: internal (the one local clients areconnected to) and external (the one the Internetis connected to)

UPnP



© MikroTik 2009 61

UPnP



Source NAT Drawbacks



© MikroTik 2009 63

Hosts behind a NAT-enabled router do not havetrue end-to-end connectivity:

connection initiation from outside is not possible

some TCP services will work in “passive” mode

src-nat behind several IP addresses isunpredictable

same protocols will require so-called NAT helpers toto work correctly (NAT traversal)

NAT Helpers



© MikroTik 2009 64

p

You can specify ports for existing NAT helpers,but you can not add new helpers

Src-nat Lab



© MikroTik 2009 65

You have been assigned one “public” IPaddress 172.16.0.XY/32

Assign it to the wireless interface

Add src-nat rule to “hide” your private network

192.168.XY.0/24 behind the “public” address

Connect from your laptop using winbox, ssh, or telnet via your router to the main gateway

10.1.1.254Check the IP address you are connecting from(use “/user active print” on the main gateway)



© MikroTik 2009

F i r e w a l l M a n g l e

IP packet marking and IP header fields adjustment

What is Mangle?



© MikroTik 2009 67

g

The mangle facility allows to mark IP packetswith special marks.

These marks are used by other router facilitieslike routing and bandwidth management to

identify the packets. Additionally, the mangle facility is used tomodify some fields in the IP header, like TOS(DSCP) and TTL fields.

Mangle Structure



© MikroTik 2009 68

Mangle rules are organized in chains

There are five built-in chains:

Prerouting- making a mark before Global-In queue

Postrouting - making a mark before Global-Out

queue

Input - making a mark before Input filter

Output - making a mark before Output filter

Forward - making a mark before Forward filter New user-defined chains can be added, asnecessary

Mangle and Queue Diagram(simple)



© MikroTik 2009 69

(simple)



Marking Connections



© MikroTik 2009 71

Use mark connection to identify one or group of connections with the specific connection mark

Connection marks are stored in the connectiontracking table

There can be only one connection mark for oneconnection.

Connection tracking helps to associate each

packet to a specific connection (connectionmark)

Mark Connection Rule



© MikroTik 2009 72

Marking Packets



© MikroTik 2009 73

Packets can be marked

Indirectly. Using the connection tracking facility, based on previously createdconnection marks (faster)

Directly. Without the connection tracking - noconnection marks necessary, router willcompare each packet to a given conditions (thisprocess imitates some of the connectiontracking features)

Mark Packet Rule



© MikroTik 2009 74

Mangle Packet Mark Lab



© MikroTik 2009 75

Mark all connections from 192.168.XY.100

address (imaginary VIP 1)

Mark all packets from VIP 1 connections

Mark all connections from 192.168.XY.200

address (imaginary VIP 2)

Mark all packets from VIP 2 connections

Mark all other connections

Mark packets from all other connections

Mangle View



HTB



© MikroTik 2009 78

All Quality of Service implementation in

RouterOS is based on Hierarchical TokenBucket

HTB allows to create hierarchical queue

structure and determine relations betweenparent and child queues and relation betweenchild queues

RouterOS support 3 virtual HTBs (global-in,

global-total, global-out) and one more justbefore every interface

Mangle and HTBs



© MikroTik 2009 79

HTB (cont.)



© MikroTik 2009 80

When packet travels through the router, it

passes all 4 HTB trees

When packet travels to the router, it passesonly global-in and global-total HTB.

When packet travels from the router, it passesglobal-out, global-total and interface HTB.

HTB Features - Structure



© MikroTik 2009 81

As soon as queue have at least one child it

become parent queue

All child queues (don't matter how many levelsof parents they have) are on the same bottom

level of HTBChild queues make actual traffic consumption,parent queues are responsible only for trafficdistribution

Child queues are not able to get more trafficthan parent has

HTB Features - Structure



© MikroTik 2009 82

HTB Features – Dual Limitation



© MikroTik 2009 83

HTB has two rate limits:

CIR (Committed Information Rate) – in worst casescenario flow will get its limit-at no matter what(assuming we can actually send so much data)

MIR (Maximal Information Rate) – in best casescenario a flow can get up to max-limit if there isspare bandwidth

At first HTB will try to satisfy every child queue's

CIR (limit-at) – only then it will try to reach MIR(max-limit)

Dual Limitation



© MikroTik 2009 84

Maximal rate of the parent must be equal or

bigger than sum of committed rates of thechildren

MIR (parent) ≥ CIR(child1) +...+ CIR(childN)

Maximal rate of any child must be less or equalto maximal rate of the parent

MIR (parent) ≥ MIR(child1)

MIR (parent) ≥ MIR(child2)

MIR (parent) ≥ MIR(childN)

HTB Distribution

(limit-at)



© MikroTik 2009 85

HTB Distribution (max-limit)



© MikroTik 2009 86

HTB Distribution



© MikroTik 2009 87

HTB Features - Priority

W k l f hild t th



© MikroTik 2009 88

Work only for child queues to arrange them

8 is the lowest priority, 1 is the highest

Queue with higher priority will reach its CIRbefore the queue with lower priority

Queue with higher priority will reach its MIRbefore the queue with lower priority

Actual traffic prioritization will work only if limit-

at and max-limit is specified (not 0)

HTB Distribution (priority)



© MikroTik 2009

Q u e u e Tr e e

Advanced queue structures

Queue Tree

Queue tree is direct implementation of HTB



© MikroTik 2009 91

Queue tree is direct implementation of HTB

Each queue in queue tree can be assigned onlyin one HTB

Each child queue must have packet mark

assigned to it

Queue Tree and Simple Queues

Tree queue can be placed in 4 different places:



© MikroTik 2009 92

Tree queue can be placed in 4 different places:

Global-in (“direct” part of simple queues are placedhere automatically)

Global-out (“reverse” part of simple queues areplaced here automatically)

Global-total (“total” part simple queues are placedhere automatically)

Interface queue

If placed in same place Simple queue will taketraffic before Queue Tree

HTB Lab

Create Queue tree from the example



© MikroTik 2009 93

Create Queue tree from the example

Extend mangle and queue tree configuration toprioritize ICMP and HTTP traffic over all other traffic only for regular clients

Replace regular client packet mark with 3 traffictype specific marks

Create 3 child queues for regular client queue inqueue tree

Assign packet marks to queues(optional) Create the same queue tree for clientupload

HTB Lab (cont.)

Consume all the available traffic using



© MikroTik 2009 94

Consume all the available traffic using

bandwidth-test (through the router) and checkthe ping response times

Set highest priority to ICMP

Check the ping response times

Medium Size ISP



© MikroTik 2009 95

Situation:Your network is growing rapidly

and now offer public IPs to the

customers

Requirements:●Transfer all old clients from

local address to public● Increase HTTP browsing

performance

NAT Action “Netmap”

Can be used in both (srcnat and dstnat) chains



© MikroTik 2009 96


Allows to create address range to addressrange NATing only with one rule

It is possible to masquerade 192.168.0.3-

192.168.0.103 (100 addresses) to 88.188.32.3-88.188.32.103 only with one rule

It is possible to redirect 88.188.32.3-88.188.32.103 (100 addresses) to 192.168.0.3-192.168.0.103 with the second rule

NAT Action “same”




© MikroTik 2009 97


Ensures that client will be NAT'ed to the sameaddress from the specified range every time ittries to communicate with destination that was

used beforeIf client got 88.188.32.104 from the range whenit communicated to the particular server – everynext time communicating with this server it will

use the same address

QoS Feature “Burst”

Burst is one of the best ways to increase HTTP



© MikroTik 2009 98

Burst is one of the best ways to increase HTTP

performanceBursts are used to allow higher data rates for ashort period of time

If an average data rate is less than burst-threshold, burst could be used( actual data rate can reach burst-limit)

Average data rate is calculated from the lastburst-time seconds

Burst - Average Data Rate

Average data rate is calculated as follows:



© MikroTik 2009 99

Average data rate is calculated as follows:

burst-time is being divided into 16 periods

router calculates the average data rate of eachclass over these small periods

Note, that the actual burst period is not equalto the burst-time. It can be several times shorter than the burst-time depending on the max-limit,burst-limit, burst-threshold, and actual data rate

history (see the graph example on the nextslide)

Limitation with Burst




p y y

HTTP and FTP traffic caching

DNS name filtering

DNS redirection

Web-proxy have two operation modesRegular – browser must be configured to use thisproxy

Transparent – this proxy is not visible for customersNAT rules must be applied

Web-Proxy Caching

No caching




g

Max-cache-size = none

Cache to RAM

Max-cache-size ≠ none

Cache-on-disk = no

Cache to HDD

Max-cache-size ≠ none

Cache-on-disk = yes

Cache drive

Web-Proxy OptionsMaximal-client-




connections -number of connections acceptedfrom clients

Maximal-server-connections -number of connections made byserver

Web-Proxy Options

Serialize-connections – use only one




y

connection for proxy and server communication(if server supports persistent HTTP connection)

Always-from-cache - ignore client refreshrequests if the cache content is consideredfresh

Max-fresh-time - specifies how long objects withoutan explicit expiry time will be considered fresh

Cache-hit-DSCP – specify DSCP value for allpackets generated from the web-proxy cache

Web-Proxy Statistics




Proxy Rule Lists

Web-proxy supports 3 sets of rules for HTTP




request filtering Access List – dictates policy whether to allowspecific HTTP request or not

Direct Access List – list works only if parent-proxy isspecified – dictates policy whether to bypass parentproxy for specific HTTP request or not.

Cache List – dictates policy whether to allowspecific HTTP request be cached or not

Proxy Rules

It is possible to




intercept HTTPrequest based on:

TCP/IP information

URL

HTTP method

Access list also allowyou to redirect denied

request to specificpage

URL Filtering

http://www.mikrotik.com /docs/ros/2.9/graphics:packet_flow31.jpg




Special characters

“*” - any number of any characters

“?” - any character

www.mi?roti?.com

www.mikrotik*

* mikrotik*

p g p p _ jpg

Destination host Destination path

Regular Expressions

Place “:” at the beginning to enable regular




expression mode”^“ - show that no symbols are allowed before thegiven pattern

“$“ - show that no symbols are allowed after the

given pattern

“[....]” - A character class matches a singlecharacter out of all the possibilities offered by thecharacter class

\ (backslash) followed by any of [\^$.|?*+() suppresstheir special meaning.

Web-Proxy Lab

Teacher will have proxy, that redirects all




requests to separate web-page on 10.1.1.254Enable transparent web-proxy on your router with caching to the memory

Create rules in access list to check itsfunctionality

Create rules in direct access list to check itsfunctionality

Create rules in Cache list to check itsfunctionality

Next problems




Problems:●

Sometimes you get unusually bigtraffic and packet counts going

trough or to your router● Some of regular clients use

routers to share connection with

neighbours● Some of regular clients use HTTP

port 80 for encrypted p2p traffic

Network Intrusion Types

Network intrusion is a serious security risk that




could result in not only the temporal denial, butalso in total refusal of network service

We can point out 4 major network intrusiontypes:

Ping flood

Port scan

DoS attack

DDoS attack

Ping Flood

Ping flood usually




consist from volumesof random ICMPmessages

With “limit” condition itis possible to boundthe rule match rate toa given limit

This condition is oftenused with action “log”

ICMP Message Types

Typical IP router uses only five types of ICMP




messages (type:code)For PING - messages 0:0 and 8:0

For TRACEROUTE – messages 11:0 and 3:3

For Path MTU discovery – message 3:4Other types of ICMP messages should beblocked

ICMP Message Rule Example




ICMP Flood Lab

Make the new chain – ICMP




Accept 5 necessary ICMP messages

Set match rate to 5 pps with 5 packet burstpossibility

Drop all other ICMP packetsMove all ICMP packets to ICMP chain

Create an action “ jump” rule in the chain Input

Place it accordingly

Create an action “ jump” rule in the chain Forward


Port Scan

Port Scan is




sequential TCP(UPD) port probing

PSD (Port scandetection) is possibleonly for TCP protocol

Low ports

From 0 to 1023

High ports

From 1024 to 65535

PSD Lab

Create PSD protection




Create a PSD drop rule in the chain Input


Create a PSD drop rule in the chain Forward


DoS Attacks

Main target for DoS attacks is consumption of




resources, such as CPU time or bandwidth, sothe standard services will get Denial of Service(DoS)

Usually router is flooded with TCP/SYN(connection request) packets. Causing theserver to respond with a TCP/SYN-ACK packet,and waiting for a TCP/ACK packet.

Mostly DoS attackers are virus infectedcustomers

DoS Attack Protection

All IP's with more than 10 connections to the




router should be considered as DoS attackersWith every dropped TCP connection we willallow attacker to create new connection

We should implement DoS protection into 2steps:

Detection - Creating a list of DoS attackers on thebasis of connection-limit

Suppression – applying restrictions to the detectedDoS attackers

DoS Attack Detection




DoS Attack Suppression

To stop the attacker




from creating newconnections, we willuse action “tarpit”

We must place thisrule before thedetection rule or elseaddress-list entry willrewrite all the time

DDoS attacks

A Distributed Denial




of Service attack isvery similar to DoSattack only it occursfrom multiple

compromisedsystems

Only thing that couldhelp is “TCPSynCookie” option inconntrack system

Mangle Action “change-ttl”

TTL is a limit of Layer3 devices that IP packet




can experience before it should be discardedTTL default value is 64 and each router reducevalue by one just before forwarding decision

Router will not pass traffic to the next device if itreceives IP packet with TTL=1

Useful application: eliminate possibility for clients to create masqueraded networks

Changing TTL




Queue Types

RouterOS have 4 queue types:

FIFO Fi t I Fi t O t (f B t f P k t )




FIFO – First In First Out (for Bytes or for Packets)RED – Random Early Detect (or Drop)

SFQ – Stochastic Fairness Queuing

PCQ – Per Connection Queuing (MikroTik Proprietary)

Each queue type have 2 aspects:

Aspect of the Scheduler

Aspect of the Shaper

100% Shaper




100% Scheduler




Default Queue Types




FIFOBehaviour:

What comes in first is handled first, what comes

in ne t aits ntil the first is finished N mber of




in next waits until the first is finished. Number of waiting units (Packets or Bytes) is limited by“queue size” option. If queue “is full” next unitsare dropped




RED

Behaviour:

Same as FIFO with feature additional drop




Same as FIFO with feature – additional dropprobability even if queue is not full.This probability is based on

comparison of average

queue length over someperiod of time to minimaland maximal threshold –closer to maximal

threshold bigger thechance of drop.




SFQ

Behaviour:

Based on hash value from source andd ti ti dd SFQ di id t ffi i t




Based on hash value from source anddestination address SFQ divides traffic into1024 sub-streams

Then Round Robin

algorithm will distributeequal amount of trafficto each sub-stream

PCQ

Behaviour:

Based on classifier PCQ divides traffic into subt E h b t b id d




Based on classifier PCQ divides traffic into sub-streams. Each sub-stream can be consideredas FIFO queue with queue size specified by“limit” option

After this PCQ can beconsidered as FIFOqueue where queuesize is specified by

“total-limit” option.




SFQ Example

SFQ should be used for equalizing similar

connection




connectionUsually used to manage information flow to or from the servers, so it can offer services toevery customer

Ideal for p2p limitation, it is possible to placestrict limitation without dropping connections,




Queue Type Lab

Try all queue types on “Other-download”

queue in your queue tree Use band-widtht t t h k it




queue in your queue tree. Use band widthtest to check it.

Adjust your QoS structure with proper

queue typeCreate a packet mark for all p2p trafficand create SFQ queue for it

Change HTTP queue type to PCQ

133581396 Traffic Control Training Course

Documents

Transcript of 133581396 Traffic Control Training Course