Just thought I would share this with the Mikrotik community.
I’ve always been a proponent of keeping garbage traffic off our network in an effort to conserve our very expensive infrastructure resources. Besides doing the usual things like blocking Bogon IP traffic and block certain TCP/UDP ports, we recently implemented traffic filtering with the help of an outside list source.
About 2.5 months ago we implemented some filtering at our edge to help protect our network and customers from the never ending attempt by cyber criminals to attack the innocent. And to keep those already infected with malware from communicating out to Botnet CC and bad actors in general.
We took the Spamhouse BGP feeds (www.spamhaus.org/bgpf) and blocked all traffic to/from all 3 lists. Absolutely no customer complaints so we feel the lists are pretty clean.
Results so far(2.5 months) for our 3300+ sub network:
294K blocks outbound
84M blocks inbound
That comes down to about 47K blocks of bad traffic an hour.
Would be glad to share our implementation details with any other non-competing WISP. We use Mikrotik edge routers so our scripts will be a specific to RouterOS. Will also share the contact of our rep from SecurityZones.net who we work with to get the Spamhaus BGP setup going.
Quick question do you have your own ASN ? how do you filter it and block the attacks from botnet? is it done directly on the BGP? because the ASN public ips assigned to your clients should not have ports blocks at all done on the BGP box right? could you please comment how its done? does it simply drop all ips from that BGP list?
is there a firewall rule to block port-scanners via /ip firewall/raw ?
i want o block port scanning on our ASN ipv4 /22 ip block, on our thread monitor system we see hundreds of thousands of port scanners activity every day.. and they come from different source ips and ports, to our destination ipv4 /22 and different ports..
my question is is there a way of doing this port scanning block activity via Firewall/raw?
i have tried via firewall filters with drop actions.. but we have in NAT a firewall rule to accept all incomming traffic without blocking ports on the ASN IPV4/22 block.. and therefore firewall NAT filters do not work..
but instead we have tested that via RAW we can block some suspicious ports for all ASN ipv4 and internal Nat private ips..
In short. Anyone who tries any port on my routers that are not open, will be blocked for 24 hours to all ports, even 443 etc.
This gives me an access list with around 5K to 10K IP adresses blocked at all time.
Basically all useless.
Drop all else for both input and forward chains. Mostly done!
One could consider is to route non-public subnets, not on ones router, to blackhole.
The idea of blacklists, I suppose is to stop your unsuspecting users that are allowed to access the internet, to hit bad private IPs…
Will black lists even block https to bad sites???
If the answer is yes, or maybe if not, then use this cheap but effective service, and get on with life and stop worrying about stuff you cannot control. https://itexpertoncall.com/promotional/moab.html
@anav
MOAB principally captures IP addresses that ARE related to on-line attacks, on-line service abuse, malwares, botnets, command and control servers and other cybercrime activities; currently numbering 639 Million IP address … and is extremely effective AND efficient in preventing malicious external attacks …. The biggest problem is that many do not know or understand how to properly configure their firewall …. MOAB does not protect from internal actions caused by poor security discipline’s.
Hi Mozerd,
My question should be posed differently then.
Since most firewalls 99% in MT, block wan to lan and wan to router traffic, what is the point of all the lists??
The only threats I see are.
a. lan users visiting bad sites, be they torrenting etc… ( so perhaps the lists have validity to ensure the users are blocked from visiting known bad sites)
b. lan users downloading a bot or some malware ( despite the lists above attempting to block users from visiting bad sites) NOW WHAT ???
c. How do we setup the router to detect/warn etc. that a PC has been compromised ?? ( assuming that the PCs anti-virus software has been thwarted)
i. well the lists may have some utility in that the malware is attempping to reach bad sites (so list may have some utility again).
ii. type/character of bad outgoing traffic may be detectable and thus blocked??
Probes are not blocked and probes are the main threat as they try and get a response from anyone of 65K ports. Blacklists prevent probes from known sources. Prevent the probes and that solves 99% of the issues. the other 1% is internal disciplines.
MOAB is a threat-centered approach whose effectiveness depends on how well and how often the blacklist and its associated responses are refreshed and updated – in MOAB’s case that takes place 3 times each day 7x24/365 – which in turn all depend in turn on the volume of threats a system has to deal with. Its estimated that 2 million new pieces of malware are emerging each month, keeping a blacklist updated now calls upon the gathering of threat intelligence from millions of devices and endpoints, using cloud-based services like FireHol … MOAB’s principle source.
The principal advantages of blacklisting lies in the simplicity of its principle: You identify everything bad that you don’t want getting into or operating on your system, exclude it from access, then allow the free flow of everything else. It has been and continues to be the basis on which signature-based anti-virus and anti-malware software operates. From a Firewall perspective MOAB block probes from over 639 million sources … if a USER tries to connect to anyone of those 639 million sources MOAB will prevent that from happening.
For users, it’s traditionally been a low-maintenance option, as responsibility for compiling and updating a blacklist of applications or entities falls to the MOAB itself and its related databases, or to some form of third-party threat intelligence/service provider like FireHol
so for your b. lan users downloading a bot or some malware ( despite the lists above attempting to block users from visiting bad sites) NOW WHAT ?
If that bot comes from an UNKNOWN source THEN you are screwed …BUT if one follows good security practices that will not happen … most bots come from enticements originating in emails and/or hacked websites … many non-malicious bots are done by governments and legit entities who want to CONTROL your habits. … and again if proper security practices are followed those event will not happen.
so for your c. How do we setup the router to detect/warn etc. that a PC has been compromised ??
The logging system should provide info …
Known sources will be blocked … unknown sources will not … but everything depends on solid security practices via education … 99% of users will avoid effective security practices because those practices are too restrictive to their freedom of access.
In summary,
if one has no ports open on the router, then does that solve the probe threat??
If one has only VPN ports open (random selection of port for wireguard for example), is that a risk??
I am trying to ascertain the level of threat/risk of the probes??
The ISP can not apply the rule “drop all” at the end of forward chain…
The ISP can not block all port directed to user, because you drop near all services.
(on the edge router NAT or connection tracking are not active, and every user have it’s own public IP)
And if user is allowed for law to use OWN router… you know the rest of this story…
The whole idea is to prevent probes …. If no port will respond the probe will fail … what most fail to recognize is that there are hundreds of thousands of probes [if not millions] taking place daily …. Routers will deal with probes and that uses bandwidth … preventing probes saves on bandwidth
Some ISP’s have mechanisms to prevent probes …. To save on the BW issue … but few do that.
But that does not solve the outgoing calls to to anyone of 639 million badies …. MOAB prevents both.
I use honeypot, for discovery new “scanners”, and lists for prevent probes from lists sources,
and I forbid from internal user BOTH to spoof it’s own real address (the accound is blocked undefinitely until I manually resume)
and to contact remote IPs on lists (the accound is locked for 1 day, if not other actions are taken, and I receive notice for this and I direct call the user).
On probe I never reply “forbidden”, tarpit or other, simply I blackhole all traffic incoming from uplink on my edge routers,
and I blackhole, after logging and disable user, all outbound traffic.
So, even if I dont have any ports open, my router is still using cycles to answer port probes??
Is it better to drop all such probes in raw, or ignore the probes.
I have no steak or stake in any blacklists. I am trying to ascertain the
impractical from the practical and apply necessary rules in a minimalistic approach.
Thus far I am hearing.
Probes are bad and even if you dont have any open ports they suck up CPU cycles.
a. what is the best method to deal with this.
scanners
-honeypots
-use of raw only as I suggested?
-etc… what is actually better than
i. plain block all on input chain/forward chain, and why.
Outgoing traffic from LANs that is attempting to spoof other private IPs, not on your LAN is bad.
a. use blackhole and IP routes for this subset of bad actors/outgoing traffic.
Outgoing traffic going to bad actors/IP sites.
a. use of blacklists may be helpful ?
b. anything else…?
Anyway to capture/Identify bad outgoing traffic (patterns/types etc…)?
