Block MAC Address's Attacker

rodrigobenta · October 27, 2017, 1:34pm

Hi friends, a few days ago you solved me a problem very effectively.
Now i think i have a similar one, that “disgusting” attacker.. he’s driving me crazy.
Via log in mikrotik i detected de mac address of the attacker.. and i’m blocking the ip’s he uses.. but i want to block directly the mac address to not receive anymore..

any idea how can i do that?

cdiedrich · October 27, 2017, 1:50pm

/interface bridge filter
add chain=forward src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop
add chain=input src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop

-Chris

BartoszP · October 27, 2017, 1:53pm

There is no way to stop reciving packets so you cannot prevent yourself from beeing attacked. You can just ignore/drop/reject them.
To specify particular MAC you need to just specify it in the rule .. example:

chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH1-WAN dst-port=53 src-mac-address=11:22:33:44:55:66

instead of

chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH1-WAN dst-port=53

rodrigobenta · October 27, 2017, 2:20pm

cdiedrich:

/interface bridge filter
add chain=forward src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop
add chain=input src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop

-Chris

Chris, im trying this. thank you so much for your fast answer!
Best for you.

rodrigobenta · October 27, 2017, 2:22pm

BartoszP:

There is no way to stop reciving packets so you cannot prevent yourself from beeing attacked. You can just ignore/drop/reject them.
To specify particular MAC you need to just specify it in the rule .. example:
chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH1-WAN dst-port=53 src-mac-address=11:22:33:44:55:66
instead of
chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH1-WAN dst-port=53

ok i will mark this information..
if an attacker is ddos my server via port 443, cause i have a web page.. my log page is going to get full of the mac address of attacker… ??
thank you

Feklar · October 27, 2017, 4:51pm

Depends on where you are logging the information, and how your network is setup. MAC addresses are layer2 information and do not pass a layer3 hop. So if your web server is not on the same LAN segment as the user, the web server will never see the MAC address, just the IP address the connection requests are coming from. Web servers also do not log MAC addresses, as they are layer7 concepts (applications), and will only log an IP address of a connection.

If you are logging MAC addresses at the router level where this user is connected from, then yes you can see his MAC, and log his connections. Keep in mind however that changing/spoofing one’s MAC address is very easy to do, so blocking someone’s MAC address will only really stop a casual attacker. Anyone else, it will only very minimally slow them down. Also if you do know the MAC address of the user, you should be able to track them back to a specific AP or switch port assuming you are using managed equipment. This once again depends on your network setup, and the hardware that you have.

rodrigobenta · October 27, 2017, 6:26pm

Feklar:

Depends on where you are logging the information, and how your network is setup. MAC addresses are layer2 information and do not pass a layer3 hop. So if your web server is not on the same LAN segment as the user, the web server will never see the MAC address, just the IP address the connection requests are coming from. Web servers also do not log MAC addresses, as they are layer7 concepts (applications), and will only log an IP address of a connection.

If you are logging MAC addresses at the router level where this user is connected from, then yes you can see his MAC, and log his connections. Keep in mind however that changing/spoofing one’s MAC address is very easy to do, so blocking someone’s MAC address will only really stop a casual attacker. Anyone else, it will only very minimally slow them down. Also if you do know the MAC address of the user, you should be able to track them back to a specific AP or switch port assuming you are using managed equipment. This once again depends on your network setup, and the hardware that you have.

ok, i will have to be continuosly monitoring this mf. jaja

last thing i have to do.. i have to open port 443 in mikrotik to see a web page in my windows server.. how can i do that? thank you so much.

BartoszP · October 29, 2017, 4:42pm

Oh boy … again?
Have you checked forum for that? https://forum.mikrotik.com/search.php?keywords=open+port
Have you checked wiki for that? https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Port_mapping.2Fforwarding

rodrigobenta · October 30, 2017, 12:08pm

OK, i read it.
Sorry man, im worried, cause i’m having constant attacks via 3389 and 443, the only opened ports, and i don’t know how to stop them.
I’m adding manually ips to a blacklist but it’s a bit tiring.
thanks for your reply

BartoszP · October 30, 2017, 12:13pm

“Open” port e.g. 43389 and forward it to 3389 in LAN.

rodrigobenta · October 30, 2017, 2:20pm

GREAT idea! you are my guru men jaja.

is there a way to count how many access per minute are allowed to enter to my page? everything to avoid attacks to my web page…

cdiedrich · October 30, 2017, 2:28pm

Add this to your dst-nat rule:

dst-limit=25,40,src-address/1m

This limits a single src-address (i.e. the IP the request for your webserver came from) to 25 new connections per second, burstable to 40 (which might quickly happen when you’re running a GUI packed with graphics and CSS). The timeout is one minute - meaning that a connection is held for one minute before a new connection can be made.
Try to adjust the values that it makes sense for you and does give your regular vistors a hard time.

-Chris

rodrigobenta · October 30, 2017, 2:51pm

cdiedrich:

Add this to your dst-nat rule:
dst-limit=25,40,src-address/1m
This limits a single src-address (i.e. the IP the request for your webserver came from) to 25 new connections per second, burstable to 40 (which might quickly happen when you’re running a GUI packed with graphics and CSS). The timeout is one minute - meaning that a connection is held for one minute before a new connection can be made.
Try to adjust the values that it makes sense for you and does give your regular vistors a hard time.

-Chris

very clear information. You are helping me so much guys. I really apreciate your time. Sorry about bad english, im from uruguay, a little country, and we speak spanish.

BartoszP · October 30, 2017, 3:46pm

No problem,
I am frm Poland, not much bigger than Uruguay and we speak Polish

rodrigobenta · October 30, 2017, 4:40pm

oh nice! may be at this time of year it’s a bit cold, isn’t it? jaja
also, do you know why i can not enter to web page from my local network, but if i try from another place i enter without any problems?