HI all,
I manage a small network for a non-profit and this evening they lost connectivity.
Upon further inspection both the primary DNS (their ISP) and the secondary DNS (8.8.8.
are showing up on the DDOS blocked list based on my firewall rules in the Mikrotik router. Iâve never seen the DNS IPs show up there before and itâs been years.
Looking at âconnectionsâ in the firewall I see that a rogue IP 192.168.100.10 is doing a lot of talking (or something) with both DNS servers. I say itâs rogue because my network is all 10.0.0.x.
Not sure how to find the rogue device so I figured it would be easy to block it from the network entirely, especially since itâs not actually a part of our IP range or subnet. But, upon trying various things based on Googling (mostly firewall rules to drop the traffic) Iâm not able to stop this from happening so they are still completely down 
What can I do? Any help would be much appreciated as they are obviously not very happy.
Btw, the network is super simple.. just router to central switch and then out to users, nothing fancy at all and nothing has been changed for a long time.
Help!!! 
Thanks in advance,
Dan
Hi Jay5son,
I tried to do exactly that but despite googling and youtubing my rule doesnât seem to block it
/ip firewall raw
chain=prerouting action=drop src-address=192.168.100.10
Make sure it is the first rule in the list.(order matters)
Still the issue remains that your DDOS rule is most likely setup incorrectly.
If someone abuses a ip you block the src address not the destination.
Why would the dns servers be flagged? Highly unlikely that google is spamming connections to you.
Thank you Rho,
I made the rule, I assume I can use 192.168.0.0. to block that whole network, yes?
Youâre probably right about the DDOS rules, I didnât create them and donât have much firewall experience at all. That said, itâs a brand new thing that 8.8.8.8 shows up on the blocked list so something must have changed?
Ultimately I think I need help to ensure the Mikrotik Firewall is appropriately configured but their (non profit) budget is so tight I canât really spend hundreds on consulting. (but maybe $100, any takers? )))
Really appreciate the help.
If you want to block whole subnet, then you have to add subnet mask to the address setting ⊠like this: 192.168.0.0**/16** . By default, /32 subnet mask is used which means single (host address) and no âsubnet address determination heuristicâ is applied.
You can export your current configuration, edit/replace possible sensitive data and post it here.
Some experienced members in firewall rules may then be able to give you some advice.
Use this post as a guide on how to create the export and post it:
http://forum.mikrotik.com/t/forum-rules/173010/1
Remove your âDDoSâ rules, they are likely the cause of the problem. Make sure you have blackhole / unreachable routes for private subnets and arenât allowing traffic from the internet to the router.
Thanks all, hereâs my entire config including the few lines pertaining to the DDOS stuff.
Would super appreciate anyone knowledgeable whoâs willing to take a look.
mar/14/2024 01:04:14 by RouterOS 6.47.9
software id =
model = RB1100x4
serial number =
/interface bridge
add fast-forward=no name=bridge1 priority=0x2000
/interface ethernet
set [ find default-name=ether1 ] name=âether1_Spectrum WANâ speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] name=ether3_SolplexSE speed=100Mbps
set [ find default-name=ether4 ] name=ether4_PossiblyBadPort speed=100Mbps
set [ find default-name=ether5 ] name=ether5_SolPlexNW speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] name=ether7_Community speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] name=ether10_Lukas speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.175
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1d name=
dhcp1
/queue type
add kind=pcq name=pcq-download-fastest pcq-classifier=dst-address pcq-rate=
100M pcq-total-limit=5000KiB
set 6 pcq-rate=10M pcq-total-limit=5000KiB
set 7 pcq-rate=35M pcq-total-limit=5000KiB
/queue simple
add dst=âether1_Spectrum WANâ max-limit=24M/500M name=EveryoneElse queue=
pcq-upload-default/pcq-download-default target=bridge1
add dst=âether1_Spectrum WANâ max-limit=20M/100M name=UnifiController parent=
EveryoneElse target=10.0.0.250/32
add dst=âether1_Spectrum WANâ max-limit=20M/100M name=AttilaDesktop parent=
EveryoneElse target=10.0.0.251/32
add dst=âether1_Spectrum WANâ max-limit=15M/200M name=Lukas parent=
EveryoneElse target=10.0.0.252/32
add disabled=yes dst=âether1_Spectrum WANâ max-limit=15M/90M name=
âSpeed boost for this IPâ parent=EveryoneElse target=10.0.0.175/32
/system logging action
set 0 memory-lines=2000
set 1 disk-file-count=10
/user group
set full policy=âlocal,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikappâ
/interface bridge filter
add action=drop chain=input disabled=yes in-bridge=bridge1 log=yes
src-mac-address=5/FF:FF:FF:FF:FF:FF
add action=drop chain=input disabled=yes dst-mac-address=
/FF:FF:FF:FF:FF:FF log=yes src-mac-address=
/FF:FF:FF:FF:FF:FF
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3_SolplexSE
add bridge=bridge1 interface=ether4_PossiblyBadPort
add bridge=bridge1 interface=ether5_SolPlexNW
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7_Community
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10_Lukas
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=âether1_Spectrum WANâ list=WAN
/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
/ip dhcp-client
add disabled=no interface=âether1_Spectrum WANâ
/ip dhcp-server alert
add disabled=no interface=bridge1 valid-server=xxxxxxxxxx
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8,x.x.x.x gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=x.x.x.x,8.8.8.8
/ip firewall address-list
add address=192.168.0.0 list=âBlock userâ
/ip firewall filter
add action=drop chain=output disabled=yes src-address=192.168.0.0
add action=fasttrack-connection chain=forward comment=âFasttrack DNS TCPâ
disabled=yes dst-port=53 protocol=tcp src-address=10.0.0.0/24
add action=fasttrack-connection chain=forward comment=âFasttrack DNS UDPâ
dst-port=53 protocol=udp src-address=10.0.0.0/24
add action=drop chain=input comment=âDROP SSH from WAN requestsâ dst-port=22
in-interface=âether1_Spectrum WANâ protocol=tcp
add action=drop chain=input comment=âDROP webconfig from WAN requestsâ
dst-port=8081 in-interface=âether1_Spectrum WANâ protocol=tcp
add action=drop chain=input comment=âDROP Winbox from WAN requestsâ dst-port=
8291 in-interface=âether1_Spectrum WANâ protocol=tcp
add action=drop chain=forward comment=âPrevent UDP flooding attackâ
connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=input comment=âPrevent outside DHCP requestsâ dst-port=
53 in-interface=âether1_Spectrum WANâ protocol=udp
add action=drop chain=input comment=âPrevent outside DHCP requestsâ dst-port=
53 in-interface=âether1_Spectrum WANâ protocol=tcp
add action=drop chain=forward comment=
âDrop packets from SMTP spammer address list.â log=yes src-address-list=
âSMTP spammerâ
add action=drop chain=input comment=âDROP INVALID CONNECTIONSâ
connection-state=invalid
add action=drop chain=forward connection-state=invalid log-prefix=invalid
add action=accept chain=forward comment=
âALLOW ESTABLISHED AND RELATED CONNECTIONSâ connection-state=
established,related
add action=accept chain=input connection-state=established,related
add action=jump chain=input comment=âALLOW ICMP CONNECTIONSâ jump-target=ICMP
protocol=icmp
add action=jump chain=forward jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=âSMTP spammerâ
address-list-timeout=1h chain=forward comment=
âSMTP spammer gets added to SMTP spammer address list.â connection-limit=
30,32 dst-port=25 limit=50,5:packet log=yes protocol=tcp
add action=return chain=detect-ddos comment=âPrevent UDP flooding attackâ
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
10m chain=detect-ddos comment=âPrevent UDP flooding attackâ
add action=add-src-to-address-list address-list=ddoser address-list-timeout=
10m chain=detect-ddos comment=âPrevent UDP flooding attackâ
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=
âBegin â Port Scanners to Listâ protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=âNMAP FIN Stealth scanâ
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=âSYN/FIN scanâ protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=âSYN/RST scanâ protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=âFIN/PSH/URG scanâ protocol=
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=âALL/ALL scanâ protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=âNMAP NULL scanâ protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=10h chain=input comment=
âBegin > SSH Attacks to Listâ connection-state=new dst-port=22 protocol=
tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp
add action=accept chain=output content=â530 Login incorrectâ dst-limit=
1/1m,4,dst-address/1m dst-port=21 protocol=tcp
add action=add-dst-to-address-list address-list=Blacklist
address-list-timeout=3h chain=output comment=
âAdd FTP Brute Force Attack to Listâ content=â530 Login incorrectâ
dst-port=21 protocol=tcp
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=
WAN
add action=jump chain=forward comment=âPrevent UDP flooding attackâ
connection-state=new jump-target=detect-ddos
add action=accept chain=ICMP comment=âICMP Rules - 0:0 and limit for 5pac/sâ
icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment=â3:3 and limit for 5pac/sâ icmp-options=
3:3 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment=â3:4 and limit for 5pac/sâ icmp-options=
3:4 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment=â8:0 and limit for 5pac/sâ icmp-options=
8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment=â11:0 and limit for 5pac/sâ
icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=drop chain=ICMP comment=âDrop everything elseâ protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat
/ip firewall raw
add action=drop chain=prerouting comment=
âBlock all 192.168.x.x. on the network, hopefully â src-address=
192.168.0.0/16
add action=drop chain=prerouting comment=âdrop blacklistâ src-address-list=
Blacklist
add action=drop chain=prerouting dst-port=8080 in-interface-list=WAN
protocol=tcp
add action=drop chain=prerouting comment=âdrop DNS attempts from WANâ
dst-port=53 in-interface-list=WAN protocol=udp
add action=jump chain=prerouting comment=âdetect broadcastsâ
dst-address-type=broadcast in-interface=bridge1 jump-target=broadcast
add action=accept chain=broadcast comment=âallow dhcpâ dst-address-type=ââ
dst-port=67 in-interface=bridge1 protocol=udp
add action=drop chain=broadcast comment=âdrop netbiosâ dst-address-type=ââ
dst-port=137,138 in-interface=bridge1 protocol=udp
add action=drop chain=broadcast comment=âdrop dropbox syncâ dst-address-type=
ââ dst-port=17500 in-interface=bridge1 protocol=udp
add action=drop chain=broadcast comment=âdrop broadcastsâ dst-address-type=
broadcast in-interface=bridge1
/ip route
add disabled=yes distance=1 gateway=x.x.x.x
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24 port=8081
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=xxx
/system identity
set name=xxx
/system logging
set 0 action=disk topics=info,!dhcp
set 1 action=disk
set 2 action=disk
set 3 action=disk
/system package update
set channel=long-term
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool netwatch
add down-script=â:log info "Internet Down"â host=x.x.x.x interval=5s
up-script=â:log info "Internet Up"â
It would be much better to find out where this rogue device has plugged in. You have a serious vulnerability right now. Lucky they only do DNS requests now.
Thank you, sorry I donât fully understand, do you mean like a virus/malware infected client on the network?
And maybe also a bad firewall configuration?
Thank,
Dan