FINDING #3

RouterOS General
1

:open_mouth: CISPA LAB third finding.

If you are receiving a lot of interferance from other Access Points on the air, or Hackers attempting to break into your system; Your CPU Load will go up greatly. This happens because the MT software must handle all of these packets and decide what to do.

If the CPU reaches 95% + you will have troubles; lockups; link drops; reboot; etc.

A Case in Point: We tested a system a the Los Angeles Air Portā€™s USO for 90 days. There were over 64 Access Points running in the area, and we had over 8000 hacker attempts on the system. We used a RB-220 with Level 5 software and natted the RF. Our tracking showed that as the number of false packets increased, so did the CPU Level untill the board dropped all of the users. A few minutes latter, it came back on line. This happened over and over.

One time during the testing, the CPU load HIT 99% and the unit shutdown and rebooted.

One further item, we also found that some Ethernet NICā€™s will stop functing if the collisions on the ethernet go crazy. IE the SLAMMER WORM running on an SQL server does it every time when using DLINKā€™s Ethernet Boards!!!

2

Here are some suggestions for protecting your hotspot or AP. We will work on some default options for hotspot and AP that are easy to set or put in by default.

But adding simple rules
like (v2.9 only) this can help:

\

  1. ā€œ/ip firewall filter add dst-limit=5/1s,5,src-and-dst-addressesā€, but be
    carefull to not put that rule on your servers (including customer servers),
    otherwise you will inrtoduce weakness.

    \
  2. filter out all directed broadcast addresesses, and filter out all from
    internet incoming packets that have your ip addresses as source address.
    these simple rules, make couple of DOS attacks impossible.

    \
  3. add psd rule in firewall filters, to not allow port scans, it does not
    increase security but makes system weaknesses harder to find.


    First rule is the most powerfull one, it will keep servers happy and make
    number of tracked connection to the limits. Of course, attacker can use other customer ip addresses and deny them access by generating multiple connections on their behalf.

John