Blocking Users From Scanning and DoS Attacks

LiquidDave · October 9, 2016, 1:13am

Hi,

I am using Mikrotik to route my VPN users traffic. Lately, I have been getting some abuse reports at a couple sites about 1 or more of my users doing some port scans, attempting to brute force SSH and launching DoS attacks on port 80. I came up with some firewall rules to block the SSH stuff but I am not sure how to go about stopping something like this below without also accidently blocking legitimate users web browsing.

tcp 0 17349 212.#.#.110:80 188.240.#.#:4042 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:3974 ESTABLISHED
tcp 0 23528 212.#.#.110:80 188.240.#.#:4046 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:3976 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:3980 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:4049 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:3997 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:4032 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:4051 ESTABLISHED
tcp 0 41850 212.#.#.110:80 188.240.#.#:4034 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:3975 ESTABLISHED
tcp 0 3752 212.#.#.110:80 188.240.#.#:3992 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:4010 ESTABLISHED
tcp 0 30278 212.#.#.110:80 188.240.#.#:4068 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:3967 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:3985 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:4006 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:3983 ESTABLISHED
tcp 0 15303 212.#.#.110:80 188.240.#.#:4037 ESTABLISHED
tcp 0 0 212.#.#.110:80 188.240.#.#:4011 ESTABLISHED

The 2nd situation is a user on my network is scanning subnets of IPs for vulnerabilities on port 22. I think I have fixed this one without affecting legitimate traffic that might be assigned the attackers IP after he disconnects but if anyone has any suggestions of a better way I would love to hear them

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1h comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=5m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
add chain=forward protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1h comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=5m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

LiquidDave · October 12, 2016, 2:41am

So my SSH rules are working but I still need to figure out how to limit Port 80 TCP DoS attacks that are starting from inside my network. Does anyone have any experience with this type of thing?

LiquidDave · October 13, 2016, 3:15am

A very odd update I am trying out this rule its my understanding that connection-limit=40,32 means 40 connections to the same host and limit=200,5 means 200 new connections over 5 seconds will result in adding the src to address list. However as soon as I refresh a webpage 1 time the address is added so clearly something is not right.

ip firewall mangle
add action=add-src-to-address-list address-list=Worm-Infected-p80 address-list-timeout=1h chain=prerouting connection-state=new connection-limit=40,32 disabled=no dst-port=80 limit=200,5 protocol=tcp

ZeroByte · October 13, 2016, 6:49pm

Your logic is backwards on this rule.

The limits return TRUE if the packet falls below those thresholds.
Basically, your rule should accept the packets, and then the very next rule should match the same protocol/port numbers, but without the limits and that rule is the one where you put the blacklist entry.

EDIT: one other note - you may not need to specify connection-state=new - usually there is a much earlier rule which allows connection-state=established,related. If so, then the only choices left are “new” and “invalid.” If you also have an early rule that just drops all packets in the invalid state, then you’re left with only the new state by the point in the chain where you’re doing scan detection, so it’s redundant (and costs extra cpu cycles) to compare the state again.

You could also use the PSD matcher to detect port scanners…
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties (scroll down to see the entry on PSD)

This thread has an excellent discussion about how the feature behaves.