Community discussions

MikroTik App
 
belmont
just joined
Topic Author
Posts: 9
Joined: Tue Jul 05, 2016 6:12 pm

mikrotik hacked!?

Mon Oct 24, 2016 7:39 pm

I have a small network behind the NAT-ed internet, ALL ports closed from internet, however my NVR (Network Video Recorder) was hacked last weekend and it was used for the DynDNS attack.: http://thehackernews.com/2016/10/iot-ca ... -ddos.html

my network is not reachable from external, unless they made a vpn tunnel from inside but how.
I have only a mikrotic router there and that is it.

Has anyone had similar last weekend??

My hikvision NVR is dead since then, i hope reflashing it will get it back...
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: mikrotik hacked!?

Mon Oct 24, 2016 8:36 pm

So is Mikrotik or DVR hacked ?
Have you read this: http://forum.mikrotik.com/viewtopic.php?f=2&t=113760 ?
 
mag2020
Trainer
Trainer
Posts: 79
Joined: Sat Nov 30, 2013 8:49 am

Re: mikrotik hacked!?

Mon Oct 24, 2016 8:55 pm

I have a small network behind the NAT-ed internet, ALL ports closed from internet, however my NVR (Network Video Recorder) was hacked last weekend and it was used for the DynDNS attack.: http://thehackernews.com/2016/10/iot-ca ... -ddos.html

my network is not reachable from external, unless they made a vpn tunnel from inside but how.
I have only a mikrotic router there and that is it.

Has anyone had similar last weekend??

My hikvision NVR is dead since then, i hope reflashing it will get it back...
I guess you should rather say, 'your NVR was hacked' and NOT 'Mikrotik hacked' in the subject of the post. However, the Mikrotik could have saved your NVR if you had the right firewalls configured on it.
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 730
Joined: Tue Aug 25, 2009 12:01 am

Re: mikrotik hacked!?

Mon Oct 24, 2016 10:57 pm

Or it connects to a DNS name that was hijacked and an the exploit downloaded.

Lots of those dvr systems create connections automaticallly. The little webcam I use to watch my kiddo sleep tunnels out to the net and you can connect to it by knowing a serial # or something.

That's why you need to log incoming and outgoing connections through your firewall. For some reason people only ever log denies thinking they are fixing a problem by dropping traffic when the reality is. They ARE the problem.
 
nathan1
Member Candidate
Member Candidate
Posts: 160
Joined: Sat Jan 16, 2016 7:05 pm

Re: mikrotik hacked!?

Tue Oct 25, 2016 12:01 am

I have a small network behind the NAT-ed internet, ALL ports closed from internet, however my NVR (Network Video Recorder) was hacked last weekend and it was used for the DynDNS attack.: http://thehackernews.com/2016/10/iot-ca ... -ddos.html

my network is not reachable from external, unless they made a vpn tunnel from inside but how.
I have only a mikrotic router there and that is it.

Has anyone had similar last weekend??

My hikvision NVR is dead since then, i hope reflashing it will get it back...
Do you have UPnP enabled? http://wiki.mikrotik.com/wiki/Manual:IP/UPnP
 
mag2020
Trainer
Trainer
Posts: 79
Joined: Sat Nov 30, 2013 8:49 am

Re: mikrotik hacked!?

Tue Oct 25, 2016 2:35 am

Or it connects to a DNS name that was hijacked and an the exploit downloaded.
You are right. In this circumstance, I think it is most probably the DNS name that was hi-jacked and the hi-jacker would be controlling all the DVR's from that point.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: mikrotik hacked!?

Tue Oct 25, 2016 7:26 am

These devices should not have active access to Internet by definition. You need to drop all packets from their ip in forward chain facing to wan.
 
belmont
just joined
Topic Author
Posts: 9
Joined: Tue Jul 05, 2016 6:12 pm

Re: mikrotik hacked!?

Tue Oct 25, 2016 11:35 pm

okay guys, the fact is the NVR was hacked still not sure how, but all coming via Mikrotik.
Please someone post the really hacker proof mikrotik setup as currenty Mikrotik is not helping me at all. OK, i am just a regular user.
But I use Sophos firewall at work, and there we can block outgoing traffic too even by application signiture, for eg, if it is openvpn traffic we can catch it.

Please post and share best practises for Mikrotik. It is super stable device but it is wide open door looks like as well.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: mikrotik hacked!?

Tue Oct 25, 2016 11:39 pm

I told you already that.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: mikrotik hacked!?

Tue Oct 25, 2016 11:42 pm

Why are you blaming Mikrotik for poor NVR quality ?
 
belmont
just joined
Topic Author
Posts: 9
Joined: Tue Jul 05, 2016 6:12 pm

Re: mikrotik hacked!?

Wed Oct 26, 2016 12:05 am

i am not blaming anything, but this is not good at all.
Here is a firm question then.
How can I setup in Mikrotik that one particular host (for eg the NVR) can only reach an IP or a DNS name (IP range) ?
This is very easy to setup in Sophos firewall, but I am not familirar much with Mikrotik.
So, If I could do this with Mikrotik, then the NVR could only reach the Camera vendor Cloud and they could not use it for DDoS stuff.

Is there a instruction or wiki on this? Again, I just want to secure this great little toy, so at least the Mikrotik users wont be effected next time.
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: mikrotik hacked!?

Wed Oct 26, 2016 5:27 am

dns services is weak spot there not ROS or devices. nothing you can't do there. DNS companies would and eventually will(or officials shut them down).
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 730
Joined: Tue Aug 25, 2009 12:01 am

Re: mikrotik hacked!?

Wed Oct 26, 2016 6:35 am

There is no hacker proof. And you can't even get close with mikrotik. A couple of lacking features off the top of my head that prohibit their use as a firewall in an enterprise/smb environment.

SSL decryption and inspection.
Application identification/policy.
Ids/ips signatures.
Vulnerability signatures.

They fell way to far behind in the last 5 years.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: mikrotik hacked!?

Wed Oct 26, 2016 8:02 am

 
mag2020
Trainer
Trainer
Posts: 79
Joined: Sat Nov 30, 2013 8:49 am

Re: mikrotik hacked!?

Wed Oct 26, 2016 6:23 pm

i am not blaming anything, but this is not good at all.
Here is a firm question then.
How can I setup in Mikrotik that one particular host (for eg the NVR) can only reach an IP or a DNS name (IP range) ?
This is very easy to setup in Sophos firewall, but I am not familirar much with Mikrotik.
So, If I could do this with Mikrotik, then the NVR could only reach the Camera vendor Cloud and they could not use it for DDoS stuff.

Is there a instruction or wiki on this? Again, I just want to secure this great little toy, so at least the Mikrotik users wont be effected next time.
In simple terms, what you need is to setup the firewall to accept all you want to pass through and drop all others. You can modify this and use as follows. Note that the accept rules must come before the drop rule in that sequence:
/ip firewall filter
add action=accept chain=forward dst-address=y.y.y.y src-address=x.x.x.x
add action=drop chain=forward src-address=x.x.x.x
Where y.y.y.y is the IP corresponding to the DNS name. x.x.x.x is the IP of your NVR.

Who is online

Users browsing this forum: menyarito and 55 guests