I want to thank omega-00 for his article http://wiki.mikrotik.com/wiki/Conficker-Virus-Blocking http://forum.mikrotik.com/viewtopic.php?f=9&t=30614
On to my current issue:
There is an infection of some sort that makes too much DNS requests for random domains:
So far I am detecting this with these rules:
These rules make an address-list for DNS offenders that receive too many replies for not-found DNS entries in a period of time./ip firewall mangle
add action=add-dst-to-address-list address-list=DNS_Junk address-list-timeout=1w chain=postrouting comment="Catch the DNS Junk senders and save to address-list for later spanking" content="\81\83" disabled=no \
dst-address-list=DNS_Junk_stage5 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage5 address-list-timeout=4s chain=postrouting comment="" content="\81\83" dst-address-list=DNS_Junk_stage4 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage4 address-list-timeout=4s chain=postrouting comment="" content="\81\83" dst-address-list=DNS_Junk_stage3 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage3 address-list-timeout=4s chain=postrouting comment="" content="\81\83" dst-address-list=DNS_Junk_stage2 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage2 address-list-timeout=5s chain=postrouting comment="" content="\81\83" dst-address-list=DNS_Junk_stage1 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage1 address-list-timeout=10s chain=postrouting comment="" content="\81\83" dst-address-list=!DNS_Junk protocol=udp src-port=53
Someone has any idea
- How to protect our DNS servers and MikroTik routers from this DNS flooding? Cache is getting fileld up with N entries.
- What is this virus and how to block the traffic of the virus? How to combat it?
Thank you!!!