Have noticed extreme large numbers of packets on wan interface which being dropped by ‘input all drops’ rule in my firewall. Analyzing through wireshark revealed that most of the packets are syn flood (udp protocol port 53).
With this regard I have created two additional rules:
That ‘defense’ you added is actually harming you more than it’s helping anything. The best you can do with malicious packets is throw them away, and log the results. Now you’re making longer, more complicated decisions which end up doing the same thing: throwing the packets away, and logging the results in an address-list - but to what end? You cannot do anything to those IP addresses (they’re just compromised botnet zombies anyway, and not the actual attacker), so all you could do is throw away all packets from them - but guess what? A simple default discard firewall already does that…
So any more complicated rule set is simply going to add burden to the router by making the final decision to discard packets be longer and more process-consuming.
Suppose I shipped ten million little boxes to your home, each containing only a little plastic hand flipping the bird at you.
Once the boxes are piled up in front of your home, the only thing you can do is get rid of them before the landlord gets angry. Are you going to open each box, stamp the hand with a “received” stamp, and log the fake return address I put on each box (each one is only used a few dozen times) before throwing them away, or are you going to just pile them up in a cart and haul them all to the trash at once?
Furthermore - once the flood of traffic has reached your router, it has already been through the bottleneck (your Internet connection) so the damage is done. The only thing you can do is have your ISP block the traffic for you before it goes to your attachment circuit. Perhaps they could block DNS except for requests to / replies from their own DNS servers.
If they cannot / will not do this for you, then your best bet is to make sure that you’re discarding the requests, and that’s all you can do except to minimize the CPU load.
The problem normally is that when you have been running an open DNS resolver, you are on some listing that the
bad guys distribute among themselves on shady file sharing services and pasteboards, and all the kiddies in their
group abuse you to reflect their DDoS attacks to their victims.
When you have done something to close the open resolver (like resetting the firewall settings to default MikroTik
setting and not changing things until you understand the concept), the problem will continue for some time until
they discover that your DNS resolver does not work anymore, you are dropped from that list, and the kiddies have
downloaded new lists.
However, that will take some time. You will just have to sit that out, there is nothing that can be done apart from
alerting as many ISPs as possible that they should implement BCP38 as soon as they can to end this madness.
I had this problem with an SNMP service on a switch that was open to the internet by accident, and it took about
3 weeks before the incoming traffic stopped. But maybe I was lucky, it could also take 3 years.
Pretty much. Of course, if this is a home Internet connection, you could just release your current IP address and obtain a new one and let the next poor sucker deal with it.
