Community discussions

MikroTik App
 
whiskeyman7
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Jul 30, 2013 8:30 pm
Location: Costa Rica

Lots of unreplied dns connection

Sat Nov 09, 2013 3:23 am

I am running v6.1 on an rb750. On my firewall connections I see lots of un-replied source ip's with random port's to the destination "my ip:53" with a corresponding cpu spike and slowed connection speeds. It seems that the source ip's come in groups of 10 to 15 "as to defeat flood attack filters" with different ports. Is this some kind of attack on me or is someone leveraging my router in an attack on someone else? If so what can i do to mitigate the impact on cpu and increase connection speeds. This has been going on for the last 2 months so i would really appreciate any help.


Thanks in advance..
 
onnoossendrijver
Member
Member
Posts: 486
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Lots of unreplied dns connection

Sat Nov 09, 2013 11:36 am

DNS amplification attack... Disable access to your DNS ports from the outside..
 
whiskeyman7
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Jul 30, 2013 8:30 pm
Location: Costa Rica

Re: Lots of unreplied dns connection

Sat Nov 09, 2013 9:44 pm

Worked like a charm!!

I used these rules

/ip firewall filter
add chain=input in-interface=wan1 protocol=udp dst-port=53 action=drop
add chain=forward protocol=udp dst-port=53 out-interface=!wan1 action=drop

Thank you very much...
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Lots of unreplied dns connection

Sun Nov 10, 2013 6:56 pm

If the router is acting as a firewall you should have a default "drop all" at the end of the forward chain and input chain. If you are having to add a specific drop on the input chain for DNS traffic then you probably have other potential security vulnerabilities.
 
whiskeyman7
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Jul 30, 2013 8:30 pm
Location: Costa Rica

Re: Lots of unreplied dns connection

Sun Nov 10, 2013 10:51 pm

The reason my router firewall did not drop this DNS traffic is because of this rule on my services chain:
-add chain=services comment="Allow udp" protocol=udp

My next question is, in leaving this rule enabled does this leave me open to other types of malicious behavior.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Lots of unreplied dns connection

Sun Nov 10, 2013 11:01 pm

If you are actually calling the services chain then yes it probably does.

Try uploading your complete firewall rules - and note my earlier comment about having default "drop all" rules in a firewall configuration. In a firewall configuration you generally want to only accept traffic explicitly and drop everything else. If you are solving a problem by creating a specific drop rule then that can be appropriate in a configuration of a unit operating predominantly in router mode but is most likely inappropriate for a unit operating predominantly in firewall mode.
 
whiskeyman7
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Jul 30, 2013 8:30 pm
Location: Costa Rica

Re: Lots of unreplied dns connection

Sun Nov 10, 2013 11:03 pm

here is my filter

/ip firewall filter
add action=drop chain=input comment="Drop ping" in-interface=\
"wan1" protocol=icmp
add action=drop chain=input comment="Drop vpn" in-interface=\
"wan1" port=1723 protocol=tcp
add action=jump chain=input comment=----------ip_blacklist---------- \
connection-limit=75,24 jump-target=ip_blacklist protocol=udp
add action=add-src-to-address-list address-list=ip_blacklist \
address-list-timeout=1d chain=ip_blacklist protocol=udp
add action=log chain=ip_blacklist disabled=yes log-prefix=ip_blacklist \
protocol=udp src-address-list=ip_blacklist
add action=drop chain=ip_blacklist src-address-list=ip_blacklist
add action=passthrough chain=ip_blacklist
add action=jump chain=input comment=\
"----------drop ssh brute forcers----------" dst-port=22 jump-target=\
ssh_brute_forcers protocol=tcp
add chain=ssh_brute_forcers content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m dst-port=22 protocol=tcp
add action=log chain=ssh_brute_forcers dst-port=22 log-prefix=\
ssh_brute_forcers protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=ssh_brute_forcers connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=drop chain=ssh_brute_forcers connection-state=new \
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=10h chain=ssh_brute_forcers connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=drop chain=ssh_brute_forcers connection-state=new \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=5d chain=ssh_brute_forcers connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=drop chain=ssh_brute_forcers connection-state=new \
src-address-list=ssh_stage3
add action=passthrough chain=ssh_brute_forcers
add action=jump chain=input comment=\
"----------drop ftp_bruteforcers----------" connection-mark=ftp_in \
dst-port=21 jump-target=ftp_bruteforcers protocol=tcp
add chain=ftp_bruteforcers content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m dst-port=21 protocol=tcp
add action=log chain=ftp_bruteforcers dst-port=21 log-prefix=\
"ftp brute forcers" protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_stage1 \
address-list-timeout=10m chain=ftp_bruteforcers content=\
"530 Login incorrect" dst-port=21 protocol=tcp
add action=drop chain=ftp_bruteforcers src-address-list=ftp_stage1
add action=add-dst-to-address-list address-list=ftp_stage3 \
address-list-timeout=5d chain=ftp_bruteforcers content=\
"530 Login incorrect" dst-port=21 protocol=tcp
add action=drop chain=ftp_bruteforcers src-address-list=ftp_stage3
add action=add-dst-to-address-list address-list=ftp_stage2 \
address-list-timeout=10h chain=ftp_bruteforcers content=\
"530 Login incorrect" dst-port=21 protocol=tcp
add action=drop chain=ftp_bruteforcers src-address-list=ftp_stage2
add action=passthrough chain=ftp_bruteforcers
add action=jump chain=input comment=----------drop_port_scanners---------- \
jump-target=drop_scanners protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=drop_scanners log-prefix=port_scanners protocol=tcp \
src-address-list="port scanners"
add action=drop chain=drop_scanners protocol=tcp src-address-list=\
"port scanners"
add action=passthrough chain=drop_scanners
add action=jump chain=input comment="----------SYN-Flood Protect----------" \
connection-limit=50,32 connection-state=new jump-target=\
"SYN-Flood Protect" protocol=tcp
add chain="accept tcp flags" connection-state=new limit=400,5 protocol=tcp \
tcp-flags=syn
add action=add-src-to-address-list address-list=SYN-Protect \
address-list-timeout=1d chain="SYN-Flood Protect" connection-limit=42,32 \
protocol=tcp tcp-flags=syn
add action=log chain="SYN-Flood Protect" log-prefix="SYN-Flood Protect" \
protocol=tcp src-address-list=SYN-Protect
add action=drop chain="SYN-Flood Protect" connection-state=new protocol=tcp \
src-address-list=SYN-Protect tcp-flags=syn
add action=passthrough chain="SYN-Flood Protect"
add action=jump chain=input comment=\
"----------DNS amplification attack Protection In----------" jump-target=\
dnsamp
add action=drop chain=dnsamp dst-port=53 in-interface=\
"wan1" protocol=udp
add action=drop chain=dnsamp dst-port=53 in-interface=\
"wan1" protocol=tcp
add action=passthrough chain=dnsamp
add action=jump chain=forward comment=\
"----------DNS amplification attack Protection Out----------" \
jump-target=dnsampout
add action=drop chain=dnsampout dst-port=53 out-interface=\
"!wan1" protocol=udp
add action=drop chain=dnsampout dst-port=53 out-interface=\
"!wan1" protocol=tcp
add action=return chain=dnsampout
add action=jump chain=forward comment=----------isolation---------- \
jump-target=isolation
add action=drop chain=isolation dst-address-list=Security_Segment \
in-interface=ether5-Hotspot
add action=drop chain=isolation dst-address-list=Operations_Segment \
in-interface=ether5-Hotspot
add action=return chain=isolation
add action=jump chain=forward comment=\
"----------jump to the virus chain----------" jump-target=virus
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
65506 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=12667 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=31846 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=tcp
add action=drop chain=virus comment="2869 UPNP" dst-port=2869 protocol=tcp
add action=drop chain=virus comment="2869 UPNP" dst-port=2869 protocol=udp
add action=drop chain=virus comment="Anti NETBIOS" protocol=tcp src-port=\
135-139
add action=drop chain=virus protocol=udp src-port=135-139
add action=drop chain=virus dst-port=135-139 protocol=tcp
add action=drop chain=virus dst-port=135-139 protocol=udp
add action=drop chain=virus dst-port=445 protocol=tcp
add action=drop chain=virus protocol=udp src-port=445
add action=drop chain=virus dst-port=445 protocol=udp
add action=log chain=virus disabled=yes log-prefix=virus
add action=return chain=virus
add action=jump chain=forward comment=\
"----------Allow 3-way handshake----------" jump-target=tcpflags \
protocol=tcp
add chain=tcpflags connection-state=new protocol=tcp tcp-flags=syn
add chain=tcpflags protocol=tcp tcp-flags=syn,ack
add chain=tcpflags connection-state=new protocol=tcp tcp-flags=ack
add chain=tcpflags protocol=tcp tcp-flags=fin,ack
add chain=tcpflags connection-state=new protocol=tcp tcp-flags=urg
add action=return chain=tcpflags
add action=jump chain=forward comment=\
"----------Allow/Drop Connection State----------" jump-target=connections
add chain=connections connection-state=established
add action=drop chain=connections connection-state=invalid
add action=return chain=connections
add action=jump chain=forward comment=\
"----------jump to chain ICMP----------" jump-target=ICMP protocol=icmp
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5 \
protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 \
protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 \
protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5 \
protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5 \
protocol=icmp
add action=return chain=ICMP
add action=jump chain=forward comment=\
"----------jump to chain services----------" jump-target=services
add chain=services comment="Allow MACwinbox " dst-port=20561 protocol=udp
add chain=connections connection-state=related
add chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=\
udp
add chain=services comment="Allow SNMP" dst-port=161 protocol=udp
add chain=services comment="Allow BGP" dst-port=179 protocol=tcp
add chain=services comment="Allow SIP" dst-port=5000-5100 protocol=udp
add chain=services comment="Allow NTP" dst-port=123 protocol=udp
add chain=services comment="Allow PPTP" dst-port=1723 protocol=tcp
add chain=services comment="Allow PPTP and EoIP" protocol=gre
add chain=services comment="Allow UPnP" dst-port=1900 protocol=udp
add chain=services comment="Allow UPnP" dst-port=5000 protocol=tcp
add chain=services comment="Allow DHCP" dst-port=67-68 protocol=udp
add chain=services comment="Allow SMTP" dst-port=25 protocol=tcp
add chain=services comment="Allow udp" protocol=udp
add chain=services comment="Allow Dude" src-mac-address=00:00:00:00:00:00
add action=log chain=forward comment="Drop Everything Else" log-prefix=\
"Drop Everything Else"
add action=drop chain=forward comment="drop the rest"
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Lots of unreplied dns connection

Mon Nov 11, 2013 7:11 pm

On a rapid scan through the rules I didn't see a default drop rule at the end of your input chain.
 
whiskeyman7
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Jul 30, 2013 8:30 pm
Location: Costa Rica

Re: Lots of unreplied dns connection

Mon Nov 11, 2013 7:36 pm

Thanks for taking a look but the drop everything rule is the very last rule on my filter.

add action=drop chain=forward comment="drop the rest"
 
whiskeyman7
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Jul 30, 2013 8:30 pm
Location: Costa Rica

Re: Lots of unreplied dns connection

Mon Nov 11, 2013 7:46 pm

I thought i would have been covered with this "Drop the rest" rule added at the end of my filter list on the forward chain?

If not can you please explain because I am obviously missing something her?

Thank you for your patience.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: Lots of unreplied dns connection

Mon Nov 11, 2013 7:52 pm

You need to have a "drop the rest" rule on both the input and forward chains.
 
whiskeyman7
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Tue Jul 30, 2013 8:30 pm
Location: Costa Rica

Re: Lots of unreplied dns connection

Tue Nov 12, 2013 3:00 am

Thank you for the info.

I have since added this to my filter

add action=jump chain=input comment=\
"----------jump to chain services input----------" jump-target=\
services_input
add chain=services_input comment="Allow MACwinbox " dst-port=20561 protocol=\
udp
add chain=services_input comment="Allow Winbox " connection-mark=wnbx_in
add chain=services_input comment="Allow SNMP" dst-port=161 protocol=udp
add chain=services_input comment="Allow PPTP" dst-port=1723 protocol=tcp
add chain=services_input comment="Allow NTP" connection-mark=ntp_in
add chain=services_input comment="Allow UPnP" dst-port=1900 protocol=udp
add chain=services_input comment="Allow DHCP" connection-mark=dhcp_in
add chain=services_input comment=com_in packet-mark=com_in
add chain=services_input comment=https_in packet-mark=https_in
add chain=services_input comment=http_in packet-mark=http_in
add chain=services_input comment=dwn_in packet-mark=dwn_in
add chain=services_input comment=other_in packet-mark=other_in
add chain=services_input comment=p2p_in packet-mark=p2p_in
add chain=services_input comment=mnet_in packet-mark=mnet_in
add chain=services_input comment=ur_in packet-mark=ur_in
add chain=services_input comment="Allow DNS L-7" layer7-protocol=dns
add action=log chain=services_input disabled=yes log-prefix=\
input_drop_the_rest
add action=drop chain=services_input comment="Drop the rest"


And removed the the "DNS amplification attack Protection" rules.

All seems to working so far. If you see anything I might have missed please let me know...


One last thing... There does not seem to be data collecting on this chain:
add chain=services_input comment=https_in packet-mark=https_in
I do not see any dropped https traffic but I can see https traffic on firewall connections.
Any ideas?
 
milekz
just joined
Posts: 7
Joined: Sat Aug 20, 2011 7:42 pm

Re: Lots of unreplied dns connection

Mon Nov 18, 2013 4:31 pm

How do you "translate" into MT firewall this rule:
iptables -I FORWARD -p udp -m string --hex-string "|00000000000103697363036f726700|" --algo bm --to 65535 --dport 53 -j DROP

?

Who is online

Users browsing this forum: Google [Bot] and 13 guests