I am launching a Blacklist service for MikroTik Routers called MOAB.-- the service costs US $60 per year and payable via PayPal.
I am offering 20 users from the MikroTik community a chance to try out this service free of charge up to September 30, 2018
If you want to be part of this free trial period please contact me via email at mozerd@itexpertoncall.com – the prerequisites.
You can learn about MOAB here
Pokornik, I am not able to respond to your request because your address has been identified as a spammer by sorbs.net
FYI, so far 8 users have subscribed to the Free Trial period that expires on September 30 2018, so only 12 spots still available.
As of today August 6, 2018 12 users have signed up for the free trial period that expires on September 30, 2018
So I have 8 remaing slots open.
If you have any Questions I will be happy to answer in THIS thread.
A number of users have contacted me via email and requested that I make the prerequisites a little clearer to under stand. I now have done that so please check the link again. and thanks to ALL for the feedback. Updated Prerequisites
Sorry but I can’t help myself not to ask couple of questions:
Can you clear up a little bit how does user/owner of router handle security - i.e. limiting your RSC to not create new users, open ports etc? Downloading 3rd party RSC can cause unpredictable and serious issues as it can completely rule the device.
If it is really just blacklist, you can distribute it as txt/csv list of addresses. Everyone can easily create script to download and implement the list on scheduled basis. That way, every user knows exactly what the script does and there is guarantee that it will not do anything else because it is not capable of anything else.
I can see that you offer for example hAP ac^2 as “capable router firewall appliance”. What performance impact can be expected on such device after you add those 600 million IPs into? are there some test results based on clearly defined scenario which can be replicated by everyone so we can confirm those numbers?
If it is really just blacklist, you can distribute it as txt/csv list of addresses
Then they can post it on the web, so that others don’t need to pay.
But yeah, I think there should be some other way to distribute config. TR-069? Fetch?
A blocklist for MikroTik should be distributed using DNS address lists.
There are two limitations that limit that method:
when the blocklist contains subnets, there is no efficient method to transfer them.
solution: MikroTik should lookup TXT records besides A records, and when they are valid textual subnet notation, load them.
like: IN TXT 192.168.0.0/24
the number of DNS entries returned is limited too much. I think the limit is in the built-in DNS resolver which has a limit on reply size.
(the actual number of addresses varies depending on the length of the DNS name used to query them)
I hope MikroTik addresses these limitations so it will be easier to manage address lists on many routers.
The idea of a update list of blackholes is interesting!
Can I use updatable lists through an external BGP routing server?
The inverse principle! Works quite reliably!
https://habr.com/post/354282/
It is possible, but it is quite impractical because you need another step to transfer the information from the
routing table maintained by BGP to a place where you can actually use it, i.e. an address list.
Maybe another useful feature suggestion: an address-list item that refers to a routing-table name, and that
automatically gets loaded by all addresses that appear in that routing table.
Another problem is that a BGP association is always 2-way so you both need to set the address of the central
server providing the information AND in the central server YOUR IP address has to be configured. That is a
problem when your IP address is not static. This could be overcome by setting up a VPN that allows a dynamic
client address (L2TP/IPsec, SSTP, OpenVPN) but that adds yet another layer of complexity.
/watching
Interested to see feedback from those using this.
Thanks for the excellent questions.
MOAB is derived ffrom FireHOL, which I make clear in my advertising – you can check it out at here
[EDIT] I did fail to mention that I do have ONE user located in Northern Europe who supports a large number of CCR’s in the field who is using MOAB [for the last 2 months] all of them supporting several thousand users . I just requested that he come here and post his experiences but – so far – he has declined to do so and he requested that I be vague so I cannot state exactly where he is located. He could very easily run his own blacklist mechanism and is well aware of FireHOL as many others are – he got a significant discount based on his number of routers – he chose to subscribe and so far he seems very pleased – no one in his group is complaining of any performance issue attributed to MOAB.
I was wondering who will come with this idea 
Well, this is common issue for all services - to make sure that users will not share the product. In this case, it simply can’t be done. If users can manage the router, then they have access to those rules and they can export it and share it. RSC can’t protect it at all.
For example Snort.org have nice approach with giving some basic list of rules for free and limiting better up-to-date list for subscribed users.
Though, i still dont think it is good idea to simply block so many IP addresses. Chance of false-positive is too high and it will end up similarly to sorbs.net - easy to get in, hard to get out, legit services blocked, nobody to blame…
@mozerd:
Thanks for reply! I really appreciate it.
I have no doubt that your intentions are pure and you don’t plan to hack your customers, however, some man-in-the-middle or even angry employee can feel different about this. We unfortunately don’t live in perfect world and attacks are happening. It would be quite sad to inadvertently help attackers while you are trying to stop them, just because your script had too much access.
I see. If you ever get any benchmark (simple iperf test with {transmitter}–{device under test}—{receiver} layout would be great), let us know. Or - if you want - I am willing to do this and share my findings. I understand you offered free trial for local users. I am not really interested in full-blown subscription or even prolonged trial, but if it helps, I can simply dedicate one of my testing routers and try it for couple of days and then give you the trial licence back. Let me know If this sounds interesting. If yes, I will send the request via email.
Anyway, I wish you and your business all best. Hopefully, you will encounter any security issues 
Yes I am interested – please do send in your request based on the MOAB Prerequisite’s – I appreciate your participation.and look forward to the results of your testing.
Of course it has zero functionality. Block some people because they appear to have bad intentions, and as a result block some legitimate users and still allow a lot of people with really bad intentions into your system because they happen to be not (yet) on the list.
However, I am interested in general mechanisms to manage large address lists under RouterOS, hence my additions to the topic.
Hopefully some method will become available that works better than importing a .rsc file. Preferably a DNS based address list
“without” limits (or more reasonable limits).
Great concept!!
Much thanks and have been using it with no issues.
When I first started out on my hex, on my own, I found some available firehol lists… and started reading about spamhouse, dshield, malcode. country lists and other lists.
They would all pump out files to use.
Then I came accross Josh Haven…
http://joshaven.com/resources/tricks/mikrotik-automatically-updated-address-list/
Wow, a resource that looked at some major lists (not countries though) and provided them in almost a ready to use format.
There are lots of efforts and scripts out there, so dont bash the author and try the alternatives as they may work for you.
http://forum.mikrotik.com/t/spamhaus-dshield-malc0de-openbl-malicious-ip-blacklists/94634/1 (dated 2016)
http://forum.mikrotik.com/t/blacklist-filter-development-topic/121264/1 (Dave is working on this one, based on an older effort and may hold some promise but does speak to the challenges of setting this up properly and it takes time and money).
In summary, if someone one wants to provide a stable, server based, blacklist for free that is tailored to ones equipment and seems to grab the best of whats available out there, then I and many others would be very grateful. (Normis, seems almost ready to volunteer, seeing as it so easy… )
In the meantime I will continue to use the service here that is so low cost - less than what I pay for coffee at Tim Hortons in a month. Since its not tied to a service offering that could disappear at any time (josh) and one that is more complete, and is supported by someone who is looking after many clients (responsible individual) and is not in the business of increasing their security risk (plus being Canadian lol). I am not worried about such issues. I am more concerned about a gazillion other sites to which I use for transactions and mikrotik for their next security blunder LOL.
I am also investigating another avenue, which purports to access ‘closed’ lists and does layer 7 programming and targets TOR nodes.
You get what you pay for though as it is also not free. Seems very good so far.
https://axiomcyber.com/shield/
FYI update – I still have 7 slots open for the Free Trial Period that expires September 30, 2018
If you want to participate in the free trial then PLEASE review the MOAB prerequisites link and send me an email with the information requested. If you have any questions post them here. My email address is found in the first opening post of this thread.
Hi,
I finally had chance to test the service and I must say, that performance impact on hAP ac^2 was negligible.
All tests were done with iperf in ubuntu. I used TCP connection and default window sizes (512k) and always performed 2 tests - one with “-r” param for separate RX/TX testing, second with “-d” param for duplex test where RX and TX was tested at the same time.
Directly connected computers:
In following tests, TX means LAN → NAT → WAN , RX means WAN → NAT → LAN
Defconf without fasttrack:
Defconf with fasttrack:
MOAB without fasttrack:
MOAB with fasttrack:
I am aware that my computers were probably not strong enough to handle full gigabit of iperf traffic. Unfortunately, I couldn’t do better.
Anyway, as you can see, hAP ac^2 handles the list really well. Especially when you have fasttrack enabled, there is literary no difference between defconf and MOAB. Without fasttrack MOAB cause approximately 50Mbit of speed reduction against defconf. This will obviously be noticeable only if your router is already bottleneck and your connection is faster than your router can handle.
Couple of other things I noticed:
Finally, I would like to thank Mozerd for providing free trial so I was able to do the test.