Community discussions

 
denke
just joined
Topic Author
Posts: 20
Joined: Sun Jun 27, 2010 12:49 pm
Reputation: 0
Location: Hungary

DDoS force from Mikrotik devices

Fri Feb 17, 2017 8:34 pm

Dear Mikrotik!

There is a lot of talk about mitigating DDoS attacks with mikrotik routers, but Mikrotik could help by preventing DDoS attackers from using Mikrotik devices as a tool to attack.

Yesterday a multi-gigabit DNS attack was used against our company, or one of our clients. -we cannot be certain of the actual force, or the indended target-
We were curious, what devices were used against us to reflect / amplify the attack, and started digging.
There were many thousands of different addresses from all over the net, so whe checked a hundred at random.
Much to our surprise we found that 74 of them responded with a mikrotik webfig page (and different routeros versions).

It seems that someone is using a rather sizable fleet of mikrotik routers to reflect and amplify DNS attacks.

I know, that this is the user's fault.
I know that by default (defconf removed), the DNS server is disabled, and I know that if it is enabled, than it should be protected too.
BUT, I also think that Mikrotik should introduce a way to limit the source of the served remote DNS requests right from the IP->DNS panel, either by interface or by ip range constraints. (like you can do this in IP->Services)

This way it would be more prominent that the user / administrator should protect the device, and would give an efficient way to do it quickly!

Thank you, in advance!
 
User avatar
soonwai
Member Candidate
Member Candidate
Posts: 104
Joined: Mon Feb 06, 2012 11:50 pm
Reputation: 0
Location: Kuala Lumpur

Re: DDoS force from Mikrotik devices

Sat Feb 18, 2017 7:44 am

There's a discussion of DNS amplification attack here. viewtopic.php?f=2&t=71395

Actually default RouterOS config has a firewall filter to prevent this.
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway

The problem arise when users follow incomplete guides on the internet, especially those that don't use QuickSet, to setup their home routers. A common example is when an ISP uses PPPoE. The unsuspecting user googles, finds and follow a guide. Their internet works but the guide doesn't tell them that the above rule needs to be changed to the pppoe interface. So they become a zombie in DNS attack.
Thanks! :D
 
denke
just joined
Topic Author
Posts: 20
Joined: Sun Jun 27, 2010 12:49 pm
Reputation: 0
Location: Hungary

Re: DDoS force from Mikrotik devices

Sat Feb 18, 2017 11:07 pm

Dear soonwai!

//The next thew lines are my own personal opinion
//No harm, and offense intended:
// I love mikrotik products, I use them whereever I can, and I often offer / promote them.
// I know that most mikrotik users are experts, who will not make a mistake which will endanger other systems

Ever since Mikrotik started to ship "pre-boxed" routers for a reasonable even cheap cost, they targeted the SOHO market.
Such market does not only consist of experts, it also contains a huge amount of beginners (or people with a beginner level knowledge in this area).
You could always say that "then use quickset", but there always will be a layer of users who will always stuck their fingers where they do not belong ... hell, that's how they learn...
Since this is the case, I beleive that this product should do its very best to protect the internet from its beginner users lack of knowledge.

In my opinion there IS a sizable amount of misconfigured mikrotik routers on the internet, which are used as a tool to attack legit companies / targets, So I think instead of debating who's fault is this we should debate how to solve it, and ask the developers to implement the solution.
The other topic (thanks for linking it) mentioned ACL approach, I think it would be the best!
 
Sob
Forum Guru
Forum Guru
Posts: 1739
Joined: Mon Apr 20, 2009 9:11 pm
Reputation: 127

Re: DDoS force from Mikrotik devices

Sat Feb 18, 2017 11:58 pm

I'll be basically repeating myself from the older linked thread, but anyway...

The problem is that even though factory configuration is safe, and there's no way to completely prevent misconfiguration by users, it's too easy to mess it up by mistake.

There's master switch for allowing remote requests and when you enable it, the only thing that holds it up is proper firewall. Play with it a little, make some small mistake, which you never notice, because everything seems to work fine, and bam, you're open resolver. Or start with blank config, enable remote requests and same result.

A new independent access control option could help a lot. Entry for DNS resolver in IP->Services, with private subnets filled in by default, should work fine. That would be for both factory and blank config (which would make it not exactly blank anymore, but I think it's acceptable sacrifice). The key point is that beginners would not have any need to touch it, because DNS resolver would automatically work with any "beginner type" setup. It would not be completely bulletproof, it could still be misused if several CPEs see each other and use private addresses also for WAN. But it's much much better than being open resolver for whole world.

denke wrote:
In my opinion there IS a sizable amount of misconfigured mikrotik routers on the internet, ...

As my home ISP put it, when I asked about blocked incoming port 53: "We have to block it because our customers have too many miscofigured mikrotiks". Oops...
 
denke
just joined
Topic Author
Posts: 20
Joined: Sun Jun 27, 2010 12:49 pm
Reputation: 0
Location: Hungary

Re: DDoS force from Mikrotik devices

Sun Feb 19, 2017 12:26 pm

Thank You for your reply, it is good to see that I am not the only one who experienced the force of this "phenomenon".

I am really curious what will Mikrotik react, will they sweep it under the carpet saying that this is the users fault and they cannot do anything, or will they actually nip the problem?
 
Zorro
Long time Member
Long time Member
Posts: 667
Joined: Wed Apr 16, 2014 2:43 pm
Reputation: 17

Re: DDoS force from Mikrotik devices

Sun Feb 19, 2017 9:28 pm

unless you run some services(say DNS or NNTP or anything else) Public interfaces(eg "WAN" ports) its always Neat & Safe to "whitelist access" to them.
eg create "adress list" named say "whitelisted to router services access", add DNS servers ip-range to it and then make rule in "input" for them on your "Wan" interfaces.
 
SystemErrorMessage
Member
Member
Posts: 347
Joined: Sat Dec 22, 2012 10:04 pm
Reputation: 5

Re: DDoS force from Mikrotik devices

Sun Feb 19, 2017 10:23 pm

DNS is one of the things that mikrotik lags behind. Some consumer routers already have DNScrypt and DNSSEC and other routers have way more advanced DNS in terms of options and configurations.

Rather than setting which IP subnet to use it it would be much better to be able to run the DNS service or multiple different ones by selecting an interface to avoid routerOS being just a closed source linux based OS acting as a server. The firewall on routerOS is not automatic like on a full x86 server OS and doesnt tell you when a program tries to access the internet. This is a weakness of a fully closed OS.
 
denke
just joined
Topic Author
Posts: 20
Joined: Sun Jun 27, 2010 12:49 pm
Reputation: 0
Location: Hungary

Re: DDoS force from Mikrotik devices

Wed Feb 22, 2017 6:00 pm

Can I please get a response from mikrotik personnel?
 
JB172
Member Candidate
Member Candidate
Posts: 230
Joined: Fri Jul 24, 2015 3:12 pm
Reputation: 9
Location: AWMN

Re: DDoS force from Mikrotik devices

Wed Feb 22, 2017 6:03 pm

Send an email to support@mikrotik.com with your problem.

Who is online

Users browsing this forum: No registered users and 10 guests