Big botnet hitting me

kapi2454 · October 22, 2023, 2:14am

Hi people, At this moment i notice that a lot of IP are hitting me.
I have the next rule at the start of the firewall rules.

add action=drop chain=input src-address-list=blacklist

add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input  protocol=icmp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input dst-port=53 protocol=tcp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input dst-port=53 protocol=udp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input dst-port=3389 protocol=udp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input dst-port=22 protocol=udp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input dst-port=3306 protocol=tcp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input dst-port=3306 protocol=udp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input dst-port=80 protocol=tcp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=none-dynamic chain=input dst-port=80 protocol=udp

add action=drop chain=input protocol=icmp
add action=drop chain=input dst-port=53 protocol=tcp
add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input dst-port=3389 protocol=tcp
add action=drop chain=input dst-port=3389 protocol=udp
add action=drop chain=input dst-port=22 protocol=tcp
add action=drop chain=input dst-port=22 protocol=udp
add action=drop chain=input dst-port=3306 protocol=tcp
add action=drop chain=input dst-port=3306 protocol=udp
add action=drop chain=input dst-port=80 protocol=tcp
add action=drop chain=input dst-port=80 protocol=udp

First at all, drop all IP that source is in black list.
Then log when someone try to enter to that ports, I don’t have any database or web service. I just put there for catch the botnet.
And Finally drop everything that hit in thats ports.

At the moment (in 4 hour), I notice 172.311 hitting’s.
Someone has live this?
And why they try to connect to de DNS(Port 53)? (only DDoS attack? ) . If I disable that rule, they establish the connection. And the number of connections grow from 27 to 2345 in a few seconds.
There is some bug on that port or that just DDoS attack?

gabacho4 · October 22, 2023, 2:58am

Strongly suspect you’ve left your router DNS open to the world due to bad or no firewall rules. Can you please post your config?

Edit: your whole config

kapi2454 · October 22, 2023, 3:56am

# oct/22/2023 00:34:07 by RouterOS 6.49.10
# software id = WWJQ-NH9X
#
# model = 951G-2HnD

/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] name=wlan2 disabled=yes ssid=NOWIFI station-roaming=enabled
/interface ethernet
set [ find default-name=ether1 ] mac-address=XX:XX:XX:XX:XX:XX name=ether1_PPPOE1
set [ find default-name=ether2 ] mac-address=XX:XX:XX:XX:XX:XX name=ether2_PPPOP2
set [ find default-name=ether3 ] mac-address=XX:XX:XX:XX:XX:XX name=ether3_FIXED
set [ find default-name=ether4 ] mac-address=XX:XX:XX:XX:XX:XX
set [ find default-name=ether5 ] mac-address=XX:XX:XX:XX:XX:XX name=ether5_LAN
/interface pppoe-client
add disabled=yes interface=ether1_PPPOE1 name=pppoe-out1 user=xxxxxxxx
add disabled=yes interface=ether2_PPPOP2 name=pppoe-out2 user=xxxxxxxx
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.123.55-192.168.123.180
/ip dhcp-server
# DHCP server can not run on slave interface!
add address-pool=dhcp_pool1 disabled=no interface=ether5_LAN name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=ether5_LAN
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set allow-fast-path=no
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=\
    default
/interface list member
add interface=ether5_LAN list=LAN
add interface=ether1_PPPOE1 list=WAN
add interface=ether2_PPPOP2 list=WAN
add interface=ether3_FIXED list=WAN
/ip address
add address=192.168.123.1/24 interface=ether5_LAN network=192.168.123.0
add address=XXX.XXX.XXX.XXX/30 interface=ether3_FIXED network=XXX.XXX.XXX.XXX
/ip cloud
set ddns-enabled=yes
/ip dhcp-server config
set store-leases-disk=10m
/ip dhcp-server lease
add address=192.168.123.53 client-id=1:XX:XX:XX:XX:XX:XX mac-address=XX:XX:XX:XX:XX:XX server=dhcp1
add address=192.168.123.51 client-id=1:XX:XX:XX:XX:XX:XX mac-address=XX:XX:XX:XX:XX:XX server=dhcp1
add address=192.168.123.52 client-id=1:XX:XX:XX:XX:XX:XX mac-address=XX:XX:XX:XX:XX:XX server=dhcp1
add address=192.168.123.54 mac-address=XX:XX:XX:XX:XX:XX server=dhcp1 add address=192.168.123.50 client-id=1:XX:XX:XX:XX:XX:XX mac-address=XX:XX:XX:XX:XX:XX server=dhcp1
add address=192.168.123.77 mac-address=XX:XX:XX:XX:XX:XX server=dhcp1 ip dhcp-server network
add address=192.168.123.0/24 dns-server=192.168.123.1 gateway=192.168.123.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.2.2
/ip dns static
add address=192.168.123.2 name=XXXXXXXXXXXX.sn.mynetname.net
/ip firewall filter
add action=drop chain=input comment="BLOCK BLACK LIST" src-address-list=pingBlacklist
add action=drop chain=input src-address-list=winboxBlacklist
add action=drop chain=input src-address-list=telnetBlacklist
add action=drop chain=input src-address-list=dnsBlacklist
add action=drop chain=input src-address-list=webBlacklist
add action=drop chain=input src-address-list=sshBlacklist
add action=drop chain=input src-address-list=rdpBlacklist
add action=drop chain=input src-address-list=ntpBlacklist
add action=drop chain=input src-address-list=pop3Blacklist
add action=drop chain=input src-address-list=imapBlacklist
add action=drop chain=input src-address-list=ftpBlacklist
add action=drop chain=input src-address-list=tftpBlacklist
add action=drop chain=input src-address-list=smtpBlacklist
add action=drop chain=input src-address-list=vncBlacklist
add action=drop chain=input src-address-list=443Blacklist
add action=drop chain=input src-address-list=sqlBlacklist
add action=add-src-to-address-list address-list=pingBlacklist address-list-timeout=2w chain=input comment="CREATE BLACK LIST" protocol=icmp
add action=add-src-to-address-list address-list=pingBlacklist address-list-timeout=2w chain=input dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=pingBlacklist address-list-timeout=2w chain=input dst-port=23,2323 protocol=tcp
add action=add-src-to-address-list address-list=dnsBlacklist address-list-timeout=2w chain=input dst-port=53 protocol=tcp
add action=add-src-to-address-list address-list=dnsBlacklist address-list-timeout=2w chain=input dst-port=53 protocol=udp
add action=add-src-to-address-list address-list=webBlacklist address-list-timeout=2w chain=input dst-port=80,8080,8880 protocol=tcp
add action=add-src-to-address-list address-list=sshBlacklist address-list-timeout=2w chain=input dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=rdpBlacklist address-list-timeout=2w chain=input dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=ntpBlacklist address-list-timeout=2w chain=input dst-port=123 protocol=tcp
add action=add-src-to-address-list address-list=pop3Blacklist address-list-timeout=2w chain=input dst-port=110,995 protocol=tcp
add action=add-src-to-address-list address-list=imapBlacklist address-list-timeout=2w chain=input dst-port=143,220,993 protocol=tcp
add action=add-src-to-address-list address-list=ftpBlacklist address-list-timeout=2w chain=input dst-port=20,21 protocol=tcp
add action=add-src-to-address-list address-list=tftpBlacklist address-list-timeout=2w chain=input dst-port=69 protocol=tcp
add action=add-src-to-address-list address-list=smtpBlacklist address-list-timeout=2w chain=input dst-port=25,465,587 protocol=tcp
add action=add-src-to-address-list address-list=vncBlacklist address-list-timeout=2w chain=input dst-port=5500,5800,5900 protocol=tcp
add action=add-src-to-address-list address-list=443Blacklist address-list-timeout=2w chain=input dst-port=443 protocol=tcp
add action=add-src-to-address-list address-list=sqlBlacklist address-list-timeout=2w chain=input dst-port=3306 protocol=tcp
add action=drop chain=input comment="DROP AT ONE" protocol=icmp
add action=drop chain=input dst-port=8291 protocol=tcp
add action=drop chain=input dst-port=23,2323 protocol=tcp
add action=drop chain=input dst-port=53 protocol=tcp
add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input dst-port=80,8080,8880 protocol=tcp
add action=drop chain=input dst-port=22 protocol=tcp
add action=drop chain=input dst-port=3389 protocol=tcp
add action=drop chain=input dst-port=3389 protocol=udp
add action=drop chain=input dst-port=123 protocol=udp
add action=drop chain=input dst-port=110,995 protocol=tcp
add action=drop chain=input dst-port=143,220,993 protocol=tcp
add action=drop chain=input dst-port=20,21 protocol=tcp
add action=drop chain=input dst-port=69 protocol=tcp
add action=drop chain=input dst-port=25,465,587 protocol=tcp
add action=drop chain=input dst-port=5500,5800,5900 protocol=tcp
add action=drop chain=input dst-port=443 protocol=tcp
add action=drop chain=input dst-port=3306 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=accept chain=forward comment="ADSL 1" in-interface=pppoe-out1
add action=accept chain=output out-interface=pppoe-out1
add action=accept chain=input in-interface=pppoe-out1
add action=accept chain=forward comment="ADSL 2" in-interface=pppoe-out2
add action=accept chain=output out-interface=pppoe-out2
add action=accept chain=input in-interface=pppoe-out2
add action=accept chain=forward comment="ADSL 3 FIXED" in-interface=ether3_FIXED
add action=accept chain=output out-interface=ether3_FIXED
add action=accept chain=input connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=masquerade chain=srcnat out-interface=ether3_FIXED

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip route
add distance=1 gateway=XXX.XXX.XXX.XXX routing-mark=srv scope=255
add distance=1 gateway=XXX.XXX.XXX.XXX scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=XXXXXXXXXXXX
set api-ssl disabled=yes

/system clock
set time-zone-name=XXXXXXXXXXXXXXXXXXXXXXX
/system package update
set channel=long-term


/tool graphing interface
add interface=ether3_FIXED

This is all the configuration, It’s simple.
All look fine, and work fine. I post it because I never seen this number of hit to a router, now is 289.984
It’s about 83MiB of dnsBlock, 1.392.849 Packets

eXS · October 22, 2023, 4:05am

how many blacklists do you need? - drop the blacklist(s) themselves after being added to the list instead of repeating everything twice, also consider dropping blacklist on fwd chain, drop blacklist in raw prerouting, both directions - sometimes an outbound connection might come up related

kapi2454 · October 22, 2023, 5:05am

I just want to know how many IP are in each list, for that reason i create a lot of blacklist.

drop the blacklist(s) themselves after being added to the list instead of repeating everything twice

How can i add to a list and drop at the same rule?

also consider dropping blacklist on fwd chain, drop blacklist in raw prerouting

Ok, I will do that too

eXS · October 22, 2023, 5:09am

You can’t do both with one rule

anav · October 22, 2023, 7:16pm

Get rid of bloatware
/ip firewall filter
add action=drop chain=input comment=“BLOCK BLACK LIST” src-address-list=pingBlacklist
add action=drop chain=input src-address-list=winboxBlacklist
add action=drop chain=input src-address-list=telnetBlacklist
add action=drop chain=input src-address-list=dnsBlacklist
add action=drop chain=input src-address-list=webBlacklist
add action=drop chain=input src-address-list=sshBlacklist
add action=drop chain=input src-address-list=rdpBlacklist
add action=drop chain=input src-address-list=ntpBlacklist
add action=drop chain=input src-address-list=pop3Blacklist
add action=drop chain=input src-address-list=imapBlacklist
add action=drop chain=input src-address-list=ftpBlacklist
add action=drop chain=input src-address-list=tftpBlacklist
add action=drop chain=input src-address-list=smtpBlacklist
add action=drop chain=input src-address-list=vncBlacklist
add action=drop chain=input src-address-list=443Blacklist
add action=drop chain=input src-address-list=sqlBlacklist
add action=add-src-to-address-list address-list=pingBlacklist address-list-timeout=2w chain=input comment=“CREATE BLACK LIST” protocol=icmp
add action=add-src-to-address-list address-list=pingBlacklist address-list-timeout=2w chain=input dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=pingBlacklist address-list-timeout=2w chain=input dst-port=23,2323 protocol=tcp
add action=add-src-to-address-list address-list=dnsBlacklist address-list-timeout=2w chain=input dst-port=53 protocol=tcp
add action=add-src-to-address-list address-list=dnsBlacklist address-list-timeout=2w chain=input dst-port=53 protocol=udp
add action=add-src-to-address-list address-list=webBlacklist address-list-timeout=2w chain=input dst-port=80,8080,8880 protocol=tcp
add action=add-src-to-address-list address-list=sshBlacklist address-list-timeout=2w chain=input dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=rdpBlacklist address-list-timeout=2w chain=input dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=ntpBlacklist address-list-timeout=2w chain=input dst-port=123 protocol=tcp
add action=add-src-to-address-list address-list=pop3Blacklist address-list-timeout=2w chain=input dst-port=110,995 protocol=tcp
add action=add-src-to-address-list address-list=imapBlacklist address-list-timeout=2w chain=input dst-port=143,220,993 protocol=tcp
add action=add-src-to-address-list address-list=ftpBlacklist address-list-timeout=2w chain=input dst-port=20,21 protocol=tcp
add action=add-src-to-address-list address-list=tftpBlacklist address-list-timeout=2w chain=input dst-port=69 protocol=tcp
add action=add-src-to-address-list address-list=smtpBlacklist address-list-timeout=2w chain=input dst-port=25,465,587 protocol=tcp
add action=add-src-to-address-list address-list=vncBlacklist address-list-timeout=2w chain=input dst-port=5500,5800,5900 protocol=tcp
add action=add-src-to-address-list address-list=443Blacklist address-list-timeout=2w chain=input dst-port=443 protocol=tcp
add action=add-src-to-address-list address-list=sqlBlacklist address-list-timeout=2w chain=input dst-port=3306 protocol=tcp
add action=drop chain=input comment=“DROP AT ONE” protocol=icmp
add action=drop chain=input dst-port=8291 protocol=tcp
add action=drop chain=input dst-port=23,2323 protocol=tcp
add action=drop chain=input dst-port=53 protocol=tcp
add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input dst-port=80,8080,8880 protocol=tcp
add action=drop chain=input dst-port=22 protocol=tcp
add action=drop chain=input dst-port=3389 protocol=tcp
add action=drop chain=input dst-port=3389 protocol=udp
add action=drop chain=input dst-port=123 protocol=udp
add action=drop chain=input dst-port=110,995 protocol=tcp
add action=drop chain=input dst-port=143,220,993 protocol=tcp
add action=drop chain=input dst-port=20,21 protocol=tcp
add action=drop chain=input dst-port=69 protocol=tcp
add action=drop chain=input dst-port=25,465,587 protocol=tcp
add action=drop chain=input dst-port=5500,5800,5900 protocol=tcp
add action=drop chain=input dst-port=443 protocol=tcp
add action=drop chain=input dst-port=3306 protocol=tcp
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“SYN/FIN scan” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“SYN/RST scan” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“ALL/ALL scan” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“NMAP NULL scan” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“dropping port scanners” src-address-list=“port scanners”
add action=accept chain=forward comment=“ADSL 1” in-interface=pppoe-out1
add action=accept chain=output out-interface=pppoe-out1
add action=accept chain=input in-interface=pppoe-out1
add action=accept chain=forward comment=“ADSL 2” in-interface=pppoe-out2
add action=accept chain=output out-interface=pppoe-out2
add action=accept chain=input in-interface=pppoe-out2
add action=accept chain=forward comment=“ADSL 3 FIXED” in-interface=ether3_FIXED
add action=accept chain=output out-interface=ether3_FIXED
add action=accept chain=input connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid

Keep the basic default firewall for the most part,
Ensure you keep your chains together, ( all input, then all forward ) much easier to read AND troubleshoo

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(user rules)
add action=accept chain=input comment="Admin Access" src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ 
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"   { add this rule last, as the Authorized rule and associated address list  needs to be in place first }
{forward chain}
(default rules to keep)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(user rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat
******
add action=drop chain=forward comment="drop all else"

…
Note1:
/ip firewall address-list { static leases }
add address=Admin-IP1 list=Authorized comment=“admin desktop”
add address=Admin-IP2 list=Authorized comment=“admin laptop”
add address=Admin-IP3 list=Authorized comment=“admin smartphone”

Note:2
For any additional allow traffic rules on the forward chain put them just before the drop rule → *******