These rules make an address-list for DNS offenders that receive too many replies for not-found DNS entries in a period of time.
Someone has any idea
- How to protect our DNS servers and MikroTik routers from this DNS flooding? Cache is getting fileld up with N entries. - What is this virus and how to block the traffic of the virus? How to combat it?
Joined: Tue Aug 11, 2009 3:19 am Posts: 7734
- depending on the DNS server uses you cab set aggressive timeouts on misses - block the user from being able to reach the DNS servers in the first place - it's very likely a botnet infected machine looking for a CC (command and control) server. Clients have built in rules to build DNA names to query for until they find a CC. That way the bot herder can rapidly rotate the CCs and the bots follow after some time
_________________ Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
O yes? That could really be true but that actually does not helping with the fact that this thing can actually kill DNS cache on mikrotik. From one source, ok, just set flushing cache every 15 minutes and you'll probably won't even notice it. If there is more than one source for that and constant flooding with this... you're in a problem.
O, but it does catching them. At least, not directly. This botnets usually using different DNS server than your default so I killed everything that's not going through designated DNS. I found couple of users with this issue and this thing successfully removed invalid DNS attempts and also removed that problem. Also, allow remote requests for DNS cache is turned on. Everything else is blocked and that indirectly included flooding problem. And, I just blast that lines in and it worked... at least for me and my network problems.
And clearing cache... I don't know, you're probably right but this helped me on occasional router freeze during DNS flooding. Probably issues with older ROS on some of the routers.
- catch infected hosts with my rules - block their Internet access and send their web requests to my company's HTTPS site with valid verifiable certificate - on that page - tell them to run a certain Anti-Virus solution that I know for sure would clean the infection, like Microsoft Malicious Software Removal Tool
But how can I be sure if a certain simple Anti-Virus tool would clean it?
You can't know... and usually this stuff can be removed only by reinstalling windows and in extreme cases you have to do a low level format of all hard drives. Microsoft Malicious Software Removal Tool usually crash windows because it delete infected files instead of fixing them. Well, at least, that used to be with that "tool". On the other hand, I find that Kaspersky is quite helpful in solving virus outbreaks. I also tried Avast as a free solution.
Microsoft Malicious Software Removal Tool cleaned an infected wininit.exe for me once. How about that hmm ? WITHOUT THE NEED TO REBOOT
Niceee... and how about svchost.exe, rundll32.exe, services.exe or maybe winlogon.exe or explorer.exe? Safest way for your network and for your customer is to recommend windows reinstall by someone who knows how to do it (since who ever got a hands on a windows installation disk becomes a self named "professional").
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum