Mikrotik Router DDoS attack
RouterOS general discussion

33 posts   •   Page 1 of 1
PoURaN
just joined
 
Posts: 3
Joined: Sat Apr 28, 2012 5:03 pm

Mikrotik Router DDoS attack

by PoURaN » Mon Apr 30, 2012 11:59 pm

Denial of service attack in winbox service cause winbox service to totaly fail to respond and also various results in the whole router.. 100% cpu always and sometimes BGP and interfaces failures after long time attack..
Details, script code and video example here.. : http://www.133tsec.com/2012/04/30/0day- ... os-attack/

User avatar
cbrown
Forum Guru
Forum Guru
 
Posts: 1820
Joined: Thu Oct 14, 2010 8:57 pm

Re: Mikrotik Router DDoS attack

by cbrown » Tue May 01, 2012 2:17 pm

Isn't this pretty much the same topic?

viewtopic.php?f=2&t=61535
C.Brown

cbrown[at]mpl.com
MTCNA - MTCRE - MTCWE - MTCTCE

http://training.mpl.com

PoURaN
just joined
 
Posts: 3
Joined: Sat Apr 28, 2012 5:03 pm

Re: Mikrotik Router DDoS attack

by PoURaN » Tue May 01, 2012 9:52 pm

cbrown wrote:Isn't this pretty much the same topic?

viewtopic.php?f=2&t=61535

they are 2 seperate vulnerabilities..
One for winbox (client side) and one for winbox service on server side..

gsloop
Member Candidate
Member Candidate
 
Posts: 213
Joined: Thu Jan 05, 2012 12:34 am

Re: Mikrotik Router DDoS attack

by gsloop » Mon May 07, 2012 9:55 pm

I went looking to see about the DOS attacks, and all the threads I can find, have been deleted.

I find this quite troubling.

Is MikroTik simply going to address security vulnerabilities by quashing any discussion of them?!?!

I'm not aware of any security list, or the like so one can know about such issues and how to address them.

So, I'd like an answer MK ...
1) Is discussion of a security vulnerability and the steps to mitigate it off limits?
2) If so, how do you propose to allow these kind of issues to be discussed?
3) Finally, shouldn't there be a security channel where such problems are announced and the issues raised addressed?

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -

User avatar
tgrand
Long time Member
Long time Member
 
Posts: 650
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Re: Mikrotik Router DDoS attack

by tgrand » Tue May 08, 2012 4:25 am

Winbox from my perspective is for management and should not be available to ANY ip source addresses.

Do this to any management protocol at your own risk.

brianlewis
Member Candidate
Member Candidate
 
Posts: 110
Joined: Tue Jul 20, 2004 10:54 am
Location: Irvine, CA

Re: Mikrotik Router DDoS attack

by brianlewis » Wed May 09, 2012 4:50 pm

We configure all our routers to have a 'safe' list and a 'hacker' list, any management ips are added to safe list statically and added to source allow at top of firewall rules, then anyone connecting to 8291 port is added to 'hacker' list which is blocked
First line : allow safe list
Second line : block source hacker list
Third line : If tcp 8291 dst add source address to list 'hacker'

gsloop
Member Candidate
Member Candidate
 
Posts: 213
Joined: Thu Jan 05, 2012 12:34 am

Re: Mikrotik Router DDoS attack

by gsloop » Wed May 09, 2012 10:03 pm

These are all nice replies, but mostly meaningless unless we know more about the problem and a full discussion of the issues from MT. Since this hasn't happened, these mitigation may well not "mitigate" anything.

Further, while mitigating a problem is nice - there are some cases where allowing WinBox management from the WAN side in an unrestricted manner is the only real option.

Again, banning or deleting discussion of the problem and avoiding full disclosure is simply stupidity, IMO.
The "bad guys" will all have the ability to attack your systems, and you'll be without any real knowledge about the issue and how to best protect yourself.

This kind of response makes me question the choice to use MT. It's misguided and the only people it hurts is the user base.
It may appear to help MT in the short-term, but companies that stomp all over discussion of vulnerabilities, especially in the security world, should die quick deaths.

Witness RSA and the secure ID fob token train-wreck. No disclosure, until months later, and then only when cornered. "Ah, yeah, everyone who used our product was totally vulnerable to a horrible attack. But trust us, we have your interests in mind!"

I don't trust anyone, and especially not anyone who has a financial interest in misleading me. Give me details and let me evaluate the issue.

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19330
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Router DDoS attack

by normis » Thu May 10, 2012 10:49 am

RouterOS with a firewall is not vulnerable. Affected is only device with no protection. We are working on a fix for those unprotected machines.

by quashing any discussion of them?!?!


we are not quashing discussions, we are simply not blowing the problem out of proportion, to reduce peoples want to exploit this
No answer to your question? How to write posts

DjM
Frequent Visitor
Frequent Visitor
 
Posts: 91
Joined: Sun Dec 27, 2009 3:44 pm

Re: Mikrotik Router DDoS attack

by DjM » Thu May 10, 2012 6:05 pm

Hello MikroTik support team,

was both DDoS issues solved in released 5.16 version, please? I can't see information related to this topic in changelog.

Thank you

hci
Long time Member
Long time Member
 
Posts: 536
Joined: Fri May 28, 2004 5:10 pm

Re: Mikrotik Router DDoS attack

by hci » Thu May 10, 2012 10:38 pm

Also curious if 5.16 addresses any of this?

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19330
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Router DDoS attack

by normis » Fri May 11, 2012 8:35 am

No. The problem is actually only one (DOS, not DDOS, because it's not distributed). You can solve it, by configuring a firewall rule on the router, to stop unknown connections to the router. Normally you should have such rules in place already, as most RouterBOARDs have such configuration by default.

We will solve the issue in the next version. The other "problem" works like this - somebody could create a program that looks like a router to the Winbox Loader. When the Winbox user is tricked into connecting to this fake "router", the windows user could be attacked. In near future, Winbox loader will be eliminated (Winbox will be one program), and this problem will be solved by itself.

None of these issues are new. They have been there since Winbox was first released.
No answer to your question? How to write posts

gsloop
Member Candidate
Member Candidate
 
Posts: 213
Joined: Thu Jan 05, 2012 12:34 am

Re: Mikrotik Router DDoS attack

by gsloop » Wed May 16, 2012 7:33 pm

Normis...

I'm not sure why you all feel so strongly about this. [Quite clear, since you deleted my last post...]
I'm really not trying to be a PITA, but I haven't heard any real answers.


So, I'd like an answer MK ...
1) Is discussion of a security vulnerability and the steps to mitigate it off limits?
2) If so, how do you propose to allow these kind of issues to be discussed?
3) Finally, shouldn't there be a security channel where such problems are announced and the issues raised addressed?


What I know about the issues is REALLY thin.
...And apparently I'm not allowed to pose further questions here, or to prod you/MikroTik to provide more answers etc.

---
So lets try, for the sake of furthering the discussion, to talk about disclosure, a security notification process etc.

Is there a security channel, or list-serv? [If not, which I assume is the case, is there a plan to create one?]
If you're not going to have one, should people just submit known vulnerabilities to CERT and let them handle the disclosure?

I'd assume you've seen these, but this is what I'd expect in a security channel:
http://www.us-cert.gov/cas/bulletins/SB12-135.html
and
http://www.us-cert.gov/cas/techalerts/TA12-101B.html

It has the date it was published.
It has a clear synopsis of the problem.
It has a score and category of severity.

It has a link to a fuller discussion of the issue (e.g. http://www.adobe.com/support/security/b ... 12-08.html) where you learn:
Which versions are affected.
What the potentials are. (e.g. A DOS with potential for remote privileged access.)
...and lots more.
[That's a whole different world than we've seen around this issue.]


I think a similar approach is a very good thing for MikroTik, and for those of us supporting the product.

---
And one specific question about the current issues:

Do you have a time-frame for a fix?

[I really need WinBox access from the world, as I suspect most others do too. Simply firewalling off the WinBox port, or disabling WinBox support completely really isn't a workable solution for me. ...and yes, I could turn it off, login with SSH, turn it on for a single host, do my work, and then turn it back off - or some other work-around, but these are practically unworkable. The result is that it's such a PITA to manage the box, you just either turn it on and live with the risk, or turn it off and never turn it on except in the most dire of emergencies. And I think it's pretty clear that either of those two extremes are less than ideal.]

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -

User avatar
MCT
Member Candidate
Member Candidate
 
Posts: 157
Joined: Wed Mar 03, 2010 6:53 pm

Re: Mikrotik Router DDoS attack

by MCT » Thu May 17, 2012 6:37 am

This is one of the things that has hurt Mikrotik's reputation the most. This is the internet, and nothing attracts attention more than a company deleting posts about security issues or bugs. If they can't discuss it on your official forums they're going to go discuss it on your competitor and 3rd party forums. There's numerous examples of this.

The correct way to handle such issues it to acknowledge it and post a notice about the vulnerability, versions affected, and mitigation steps to take until a patch is issued.

User avatar
janisk
MikroTik Support
MikroTik Support
 
Posts: 5925
Joined: Tue Feb 14, 2006 10:46 am
Location: Riga, Latvia

Re: Mikrotik Router DDoS attack

by janisk » Thu May 17, 2012 10:39 am

well as a RouterOS and RouterBOARD user myself all i can suggest is - create decent firewall that will allow you everything you like and still keep the router safe.

There have been endless discussions about what is and what is not safe. Now - suggested configuration have proposed WAN interface completely cut off, hence all the attacks can come only from within your network where you can deal with them swiftly and easily.

And once again - having proper configuration in place resolves the issues like this. When i configure the router usually i have port-knocking in place and allow encrypted tunnel to the router. In user list - connection to the router is allowed only from management IP addresses. That was so in 2.9.x era and so it is now.

Anyway described problems are worked on. And this topic looks more like scaremongering than anything else.

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19330
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Router DDoS attack

by normis » Thu May 17, 2012 10:40 am

Some nice suggestions here: http://gregsowell.com/?p=3773

Something that many have missed: RouterBOARDs have this firewall rule by default
No answer to your question? How to write posts

User avatar
MCT
Member Candidate
Member Candidate
 
Posts: 157
Joined: Wed Mar 03, 2010 6:53 pm

Re: Mikrotik Router DDoS attack

by MCT » Thu May 17, 2012 4:22 pm

janisk wrote:well as a RouterOS and RouterBOARD user myself all i can suggest is - create decent firewall that will allow you everything you like and still keep the router safe.

There have been endless discussions about what is and what is not safe. Now - suggested configuration have proposed WAN interface completely cut off, hence all the attacks can come only from within your network where you can deal with them swiftly and easily.

And once again - having proper configuration in place resolves the issues like this. When i configure the router usually i have port-knocking in place and allow encrypted tunnel to the router. In user list - connection to the router is allowed only from management IP addresses. That was so in 2.9.x era and so it is now.

Anyway described problems are worked on. And this topic looks more like scaremongering than anything else.


It doesn't have to be that way, but it will end up that way if posts like this get deleted. The way to handle it is to make a sticky notice about the vulnerability, what versions are affected, how to mitigate it, and that Mikrotik is aware of the problem and working on a patch.

I guarantee you that people that will actually use the vulnerability already know about it. The professional thing to do is notify your users about the issue in an official channel. That way you appear in control of the situation instead of trying to cover it up, and if the internet has taught the world anything it's that trying to cover anything up only makes it spread faster.

gsloop
Member Candidate
Member Candidate
 
Posts: 213
Joined: Thu Jan 05, 2012 12:34 am

Re: Mikrotik Router DDoS attack

by gsloop » Thu May 17, 2012 7:10 pm

So, Normis and Janisk both post elaborate defenses, and simply ignore all the queries about a security list-serv or equivalent?

Seriously?! [With all due respect, can I have what you're smoking? It's got to be good stuff!]

---
-- First: I can show you scare mongering, and this isn't it. [The first post or two, who knows. I'm not going to get into analyzing the mindset of another poster. Perhaps they are people with ill will toward RB/MikroTik, perhaps not. But my posts, and my queries, they've been respectful and simply asking for more data. The other posts also have been asking for more data.]

-- Second: Scaremongering only works if you refuse to get out in front of the problem and actually address the issues in non-bunker mentality. Be open about the issue, it's cause and ramifications, remediation steps and time for a fix.

You've had to be led, screaming and kicking the whole way, to get the most minimal disclosures so far. So, in that environment, you are being your own worst enemy in allowing MikroTik to be a "victim" of scare-mongering, IMO.

When people think you're being evasive, not fully honest, hiding things - that's when fear-mongering works.

[And that's how it looks to me - and really, I'm no hostile audience. I really WANT MikroTik to succeed. I've just spent a very significant amount of time moving my clients to RB and writing scripts and doing a lot of bench-testing etc. I don't have lots of great alternatives. So, believe me when I say, I *really* want RB to succeed. At it's core, it looks like a really great product. If I didn't want your success, I wouldn't have spent the time, money and resources here.]

So, if you want to immunize yourself against fear-mongering, just be fully open and very up-front about the problems. If you don't, someone will fill up the vacuum with mis-information - intentional or not.

-- Third: Please stop with all the "firewall blocks on the WAN interface fix the problem." You act as though this isn't a problem because you shouldn't use WinBox on the WAN interface. You act as though this is just "normal" and any non-retarded non-moron wouldn't be complaining at all, that this is all a total freak-out over absolutely nothing.

Lets just, for the sake of argument, assume this is a reasonable/plausible suggestion. [That it's all a "freak-out" over nothing.]
If that is really so, and freaking-out over nothing, and there's really nothing there, there...then why bother fixing the problem at all?

Oh, that's right, because it really *is* a problem.
Any station that can communicate with WinBox can exploit this and DOS the Routerboard, including internal stations - or something infected with a virus etc. [And yes, it would have to be specially tailored etc - I fully understand this.]

And the attacks from a "fake" RB server are, from the minimal data I have, very serious.

So, it *IS* a real problem. You're admitting that by fixing it. But you can't have it both ways. Either it's not a problem and we're not going to bother fixing it, or it IS a real problem and that is WHY we're spending the resources to fix it.

The mitigation steps help for people who *can* practically implement them. However, some won't be able to implement them, and the thing is *still* vulnerable unless you disable all management except through the serial interface. Do you think Cisco would get away with claiming that "only people on the LAN could DOS Cisco routers" and thus it was all no real problem? [Answer: ABSOLUTELY NO!]

However, there are, essentially, NO mitigation steps for the fake RB server problem however. [Again, going from the extremely limited data that MikroTik has divulged so far.]

-- Fourth. You continue to avoid any time-frame of a fix. "We're working on it," doesn't mean a lot to me. Did you ever hear about Duke NukEm Forever? They're working on it. [Just to save you time, it was a FPS game that went through a 15 year development cycle, and still generally sucked when it finally rolled over the finish line. It received a "Lifetime achievement award" for being vaporware.]

So, "working on it" is nice, but not enough.

When, generally, do you expect to have resolution in place. I understand that dev cycles aren't solid guarantees, but rough estimates are good. Should we expect six days, six weeks, six months, six years, six decades or six millenia?

Lastly:
And again. Is there some plan to put in place a security announcement list-serv? I shouldn't need to check the forum. Every other Linux product: Postfix, sendmail, dovecot, apache etc all have security-announce lists.

If I subscribe to the announce list, I get notifications of security problems and links to fuller discussion and remediation steps. MikroTik REALLY, REALLY, needs to do the same. Don't expect people to check in here every day/month/year to see if there was a security vulnerability that was addressed and fixed. You need to proactively contact anyone who wishes for notification of a problem. A moderated list-serv is usually the time-honored way to handle this.

I'll leave it there - but really MikroTik, you can get in front of this and actually lead the way. If you refuse, there are those of us who will "help" you. You probably won't like it, and as the above shows, it sure seems you don't. But as the saying goes: "You can either lead or follow, but get the *** out of the way."

To Recap, here's what I and others are asking!:
-Answers about the problem and it's scope. [Would be nice, but I'm not holding my breath.]
-Time-frame on a working fix for this undefined set of security vulnerabilities/DOS attacks. [Must have!]
-Position on a security list-serv and when and how you plan to implement. [Must have!]


-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19330
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Router DDoS attack

by normis » Fri May 18, 2012 8:14 am

I already said that the problem is not serious, and that we will fix it.
And I can repeat again - by default, with no user interaction, a firewall rule exists to prevent this.
No answer to your question? How to write posts

User avatar
janisk
MikroTik Support
MikroTik Support
 
Posts: 5925
Joined: Tue Feb 14, 2006 10:46 am
Location: Riga, Latvia

Re: Mikrotik Router DDoS attack

by janisk » Fri May 18, 2012 12:40 pm

if we thought what you claim us to think - this would not exist:

http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router
http://wiki.mikrotik.com/wiki/Manual:IP ... protection

so if you have that in place, how serious is the vulnerability?

IMHO we are pretty open that you have to protect your router and configuration should be very strict what should and what should not be allowed.

And of course we are grateful that such a flaw was discovered and we can resolve the issue.

gsloop
Member Candidate
Member Candidate
 
Posts: 213
Joined: Thu Jan 05, 2012 12:34 am

Re: Mikrotik Router DDoS attack

by gsloop » Fri May 18, 2012 11:56 pm

So, the hyper-defense continues unabated. Whatever. I guess you'll believe what you want and we/I will believe what I believe.

I just can't figure out
1) why you refuse to go the full-disclosure route,
2) why you won't give an estimated time for release
3) why you won't commit to a list-serv or equivalent security notice mechanism.

[You know, the 1990's called and they want their security notification model back!]

If you change your mind, and decide to actually handle security-release notices like the rest of the civilized world, give me a shout. I'll certainly be glad to welcome you to the modern age.

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19330
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Router DDoS attack

by normis » Mon May 21, 2012 9:06 am

if you don't configure a password, somebody can log into your router. do you want us to "notify" you of that too? it's the same type of issue.
No answer to your question? How to write posts

User avatar
TKITFrank
Member Candidate
Member Candidate
 
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: Mikrotik Router DDoS attack

by TKITFrank » Mon May 21, 2012 10:55 am

normis wrote:if you don't configure a password, somebody can log into your router. do you want us to "notify" you of that too? it's the same type of issue.



I think this discussion has gotten out of hand. We can all conclude that you should have security measurements in place to protect your router. This is not the issue.
This issue is that there is a bug that can be utilized via a script or more.
You are working on a fix that is great.

But to get to the point.

I can also agree that MikroTik should have a security bulletin board. A board dedicated to security bugs not misconfiguration.
This bug when you guys at MikroTik got knowledge of it, you should via mail is a security bulletin told us about it and also give us the temporary security measurements to fix it until the patch is available.
To be ahead of it as said before. Not like now when the rumor is spreading and you have to do damage control. If you are on top of it you are in control like said before.

Any bug security or not should not be "silenced". That only leads to speculations. Which is never a good thing.

If this is done I think we all can be satisfied. :)
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."

doush
Member
Member
 
Posts: 492
Joined: Thu Jun 04, 2009 3:11 pm

Re: Mikrotik Router DDoS attack

by doush » Mon May 21, 2012 9:30 pm

I didnt want to comment on this issue because this forum is moderated strictly and without freedom, so discussed in another forum about this issue but

after I read the moderators comments on this thread, I just want to say that I just cant believe you guys !

Paetur
just joined
 
Posts: 18
Joined: Sat Jan 21, 2012 4:00 pm

Mikrotik Router DDoS attack

by Paetur » Mon May 21, 2012 10:46 pm

gsloop wrote:
-- Third: Please stop with all the "firewall blocks on the WAN interface fix the problem." You act as though this isn't a problem because you shouldn't use WinBox on the WAN interface. You act as though this is just "normal" and any non-retarded non-moron wouldn't be complaining at all, that this is all a total freak-out over absolutely nothing.

-Greg


I will agree that in the wiki there should be a short article about what not to do, like default passwords and ports an os on, if your a 'normal' person and not known in the admin world.

Edit: Ha, I missed the post with links to wiki about security. My bad.

Having said that, routerOS is not for 'normal' people. Any admin (non-moron / non-retard), knows that an open port is a risk, and should be secured with some non-default messure.

Port knocking, VPN, MGNT IP, VLAN, pick one.


/Paetur

Sent from my iPad using Tapatalk

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19330
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Router DDoS attack

by normis » Tue May 22, 2012 8:40 am

Paetur, I just wanted to repeat what I said above, that on RouterBOARD devices - by default RouterOS has firewall in place, to protect against this. You can only be affected, if you remove those firewall rules by hand.
No answer to your question? How to write posts

sinnet3000
just joined
 
Posts: 9
Joined: Thu Dec 29, 2011 8:52 pm

Re: Mikrotik Router DDoS attack

by sinnet3000 » Tue May 22, 2012 9:12 am

normis wrote:Paetur, I just wanted to repeat what I said above, that on RouterBOARD devices - by default RouterOS has firewall in place, to protect against this. You can only be affected, if you remove those firewall rules by hand.

If you remove the steering wheel from a car, you will crash if you try to drive. Do we need stickers against that too?


I am really worried about this. Not considering security issues important will probably make me not recommend Microtik routers to other people. The fact that you can put rules on your WAN doesn't remove the fact that there is an exploit that creates a Dos on Winbox, and there could be more serious issues from this. Microtik should acknoledge that or many people will start losing respect for this company. The firewall is a faulty workaround.

This exploit not only makes Winbox service fail, but as reported it also affects the CPU load and most routers lose BGP after a long time attack. If I was an attacker and I knew they use Microtik as their hardware and even if they had an ACL that would only allow the sysadmins to access. A virus could be written that would exploit this from those machines, and maybe it is even possible to modify to exploit to DOS with spoffed ip addresses, only knowing the IPs that are able to be accesed from the LAN would only be the necessary thing.

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19330
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Router DDoS attack

by normis » Tue May 22, 2012 9:18 am

As it was said multiple times before, we are working on a fix for this.
No answer to your question? How to write posts

Paetur
just joined
 
Posts: 18
Joined: Sat Jan 21, 2012 4:00 pm

Mikrotik Router DDoS attack

by Paetur » Tue May 22, 2012 10:53 am

normis wrote:Paetur, I just wanted to repeat what I said above, that on RouterBOARD devices - by default RouterOS has firewall in place, to protect against this. You can only be affected, if you remove those firewall rules by hand.

If you remove the steering wheel from a car, you will crash if you try to drive. Do we need stickers against that too?


Dude. Read my post again. I was agree'ing with you.


/Paetur

Sent from my iPad using Tapatalk

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19330
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Router DDoS attack

by normis » Tue May 22, 2012 11:18 am

I know, I meant to say "in addition to what you said, I wanted to repeat to others ..."
No answer to your question? How to write posts

User avatar
TKITFrank
Member Candidate
Member Candidate
 
Posts: 236
Joined: Tue Jul 07, 2009 2:55 pm
Location: Sweden

Re: Mikrotik Router DDoS attack

by TKITFrank » Tue May 22, 2012 4:02 pm

normis wrote:As it was said multiple times before, we are working on a fix for this.


Hi Normis,

As said before this is getting out of hand.

As a measurement can you do the following?
1) Create a new forum entry called security or what you find appropriate.
2) Add this security issue as a sticky and attach all info about it, How it affects the system and so on (In detail)
3) Add status on the fix you will provide. Include detail and so on...
4) Add info on the temporary solution with the firewall, Or a link to the wiki. What you find reasonable.
5) Close this thread and post a link to the new thread.
6) Any new info small or significant on this issue or the fix for it update on the security thread.

Then you are on top of it and announcing it properly :)
I think this is some what has been wanted if we read between the lines in this thread...
MTCNA

"I don't believe UNIX is Utopia. It's just the best set of tools around."

User avatar
honzam
Forum Guru
Forum Guru
 
Posts: 1494
Joined: Wed Feb 27, 2008 11:27 pm
Location: Czech Republic

Re: Mikrotik Router DDoS attack

by honzam » Tue May 22, 2012 4:06 pm

TKITFrank wrote:
normis wrote:As it was said multiple times before, we are working on a fix for this.


Hi Normis,

As said before this is getting out of hand.

As a measurement can you do the following?
1) Create a new forum entry called security or what you find appropriate.
2) Add this security issue as a sticky and attach all info about it, How it affects the system and so on (In detail)
3) Add status on the fix you will provide. Include detail and so on...
4) Add info on the temporary solution with the firewall, Or a link to the wiki. What you find reasonable.
5) Close this thread and post a link to the new thread.
6) Any new info small or significant on this issue or the fix for it update on the security thread.

Then you are on top of it and announcing it properly :)
I think this is some what has been wanted if we read between the lines in this thread...


+1
LAN, FTTx, Wireless. ISP operator based on ROS. If the post helped, give Karma...

killersoft
Frequent Visitor
Frequent Visitor
 
Posts: 67
Joined: Mon Apr 11, 2011 2:34 pm

Re: Mikrotik Router DDoS attack

by killersoft » Tue May 22, 2012 5:06 pm

add action=drop chain=input disabled=no dst-port=\
0-1055,8291,8080,5000 in-interface="Internode PPPoE" \
protocol=tcp


Thats what I place on my wan-pppoe interface to deter nastie inbounds! Its not all i have in my rules(drop icmp etc)but makes it clear i'm not playing !!

gsloop
Member Candidate
Member Candidate
 
Posts: 213
Joined: Thu Jan 05, 2012 12:34 am

Re: Mikrotik Router DDoS attack

by gsloop » Thu May 24, 2012 8:51 pm

To Recap, here's what I and others are asking!:
-Answers about the problem and it's scope. [Would be nice, but I'm not holding my breath.]
-Time-frame on a working fix for this undefined set of security vulnerabilities/DOS attacks. [Must have!]
-Position on a security list-serv and when and how you plan to implement. [Must have!]

Are you simply refusing to take any position on these issues?

Being coy about it doesn't help MikroTik or us as users.

Either outright refuse to do these, or tell us what you are planning to do and when.
[each individually of course]

-Greg
- If I helped you solve your problem ... Karma is an appropriate gift! :) -

33 posts   •   Page 1 of 1

Who is online

Users browsing this forum: InoX, WzL and 33 guests

It is currently Fri Dec 19, 2014 12:37 am