There is a lot of talk about mitigating DDoS attacks with mikrotik routers, but Mikrotik could help by preventing DDoS attackers from using Mikrotik devices as a tool to attack.
Yesterday a multi-gigabit DNS attack was used against our company, or one of our clients. -we cannot be certain of the actual force, or the indended target-
We were curious, what devices were used against us to reflect / amplify the attack, and started digging.
There were many thousands of different addresses from all over the net, so whe checked a hundred at random.
Much to our surprise we found that 74 of them responded with a mikrotik webfig page (and different routeros versions).
It seems that someone is using a rather sizable fleet of mikrotik routers to reflect and amplify DNS attacks.
I know, that this is the user’s fault.
I know that by default (defconf removed), the DNS server is disabled, and I know that if it is enabled, than it should be protected too.
BUT, I also think that Mikrotik should introduce a way to limit the source of the served remote DNS requests right from the IP->DNS panel, either by interface or by ip range constraints. (like you can do this in IP->Services)
This way it would be more prominent that the user / administrator should protect the device, and would give an efficient way to do it quickly!
Actually default RouterOS config has a firewall filter to prevent this. add action=drop chain=input comment=“default configuration” disabled=no in-interface=ether1-gateway
The problem arise when users follow incomplete guides on the internet, especially those that don’t use QuickSet, to setup their home routers. A common example is when an ISP uses PPPoE. The unsuspecting user googles, finds and follow a guide. Their internet works but the guide doesn’t tell them that the above rule needs to be changed to the pppoe interface. So they become a zombie in DNS attack.
//The next thew lines are my own personal opinion
//No harm, and offense intended:
// I love mikrotik products, I use them whereever I can, and I often offer / promote them.
// I know that most mikrotik users are experts, who will not make a mistake which will endanger other systems
Ever since Mikrotik started to ship “pre-boxed” routers for a reasonable even cheap cost, they targeted the SOHO market.
Such market does not only consist of experts, it also contains a huge amount of beginners (or people with a beginner level knowledge in this area).
You could always say that “then use quickset”, but there always will be a layer of users who will always stuck their fingers where they do not belong … hell, that’s how they learn…
Since this is the case, I beleive that this product should do its very best to protect the internet from its beginner users lack of knowledge.
In my opinion there IS a sizable amount of misconfigured mikrotik routers on the internet, which are used as a tool to attack legit companies / targets, So I think instead of debating who’s fault is this we should debate how to solve it, and ask the developers to implement the solution.
The other topic (thanks for linking it) mentioned ACL approach, I think it would be the best!
I’ll be basically repeating myself from the older linked thread, but anyway…
The problem is that even though factory configuration is safe, and there’s no way to completely prevent misconfiguration by users, it’s too easy to mess it up by mistake.
There’s master switch for allowing remote requests and when you enable it, the only thing that holds it up is proper firewall. Play with it a little, make some small mistake, which you never notice, because everything seems to work fine, and bam, you’re open resolver. Or start with blank config, enable remote requests and same result.
A new independent access control option could help a lot. Entry for DNS resolver in IP->Services, with private subnets filled in by default, should work fine. That would be for both factory and blank config (which would make it not exactly blank anymore, but I think it’s acceptable sacrifice). The key point is that beginners would not have any need to touch it, because DNS resolver would automatically work with any “beginner type” setup. It would not be completely bulletproof, it could still be misused if several CPEs see each other and use private addresses also for WAN. But it’s much much better than being open resolver for whole world.
As my home ISP put it, when I asked about blocked incoming port 53: “We have to block it because our customers have too many miscofigured mikrotiks”. Oops…
Thank You for your reply, it is good to see that I am not the only one who experienced the force of this “phenomenon”.
I am really curious what will Mikrotik react, will they sweep it under the carpet saying that this is the users fault and they cannot do anything, or will they actually nip the problem?
unless you run some services(say DNS or NNTP or anything else) Public interfaces(eg “WAN” ports) its always Neat & Safe to “whitelist access” to them.
eg create “adress list” named say “whitelisted to router services access”, add DNS servers ip-range to it and then make rule in “input” for them on your “Wan” interfaces.
DNS is one of the things that mikrotik lags behind. Some consumer routers already have DNScrypt and DNSSEC and other routers have way more advanced DNS in terms of options and configurations.
Rather than setting which IP subnet to use it it would be much better to be able to run the DNS service or multiple different ones by selecting an interface to avoid routerOS being just a closed source linux based OS acting as a server. The firewall on routerOS is not automatic like on a full x86 server OS and doesnt tell you when a program tries to access the internet. This is a weakness of a fully closed OS.
The problem won’t go away. I just changed from ISP and my previous ISP filtered out incoming traffic that would not be accepted on my side. I was surprised after years of quietness about the huge numbers of scan.
I made blocking lists by using scripts and address lists and caught loads of IP ranges. The worst one is Digital Ocean that was responsible for about 95% of the scans.
As a customer I can only use RAW to block traffic and routing/BGP are not available to me. ISP’s should act on those constant scans and should not think have it handled by the statefull firewall of the customer. If you are strict in this the recognize done by these scan could also help to address DDOS to not have ‘turned’ (hacked) routers amplifying the attack.