Hotspot Attack ( high CPU use )

wfuzatto · September 2, 2017, 11:33pm

Hello everyone,

This system is running a hotspot, sometimes an user shows up and the CPU goes to 100%. I’ve tried to search what’s going on and i’m stuck at this.
The only thing I know is the user does not authenticate and start to send/receive this packets.

Any ideas? A script / firewall to block this?

R1CH · September 3, 2017, 8:17pm

If 100kbps of traffic causes 100% CPU use you have much bigger problems…

Use Tools / Profile to find out where the CPU is spent.

wfuzatto · September 5, 2017, 11:03pm

Hi R1CH,
Thanks for your reply.

Everytime this happens I block the MAC in Hotspot > IP-Binginds.

So it happened again today and here are some informations:

Sometimes it does not take 100% CPU use, just around 15-25% ( only for this IP tasks ).
I’ve noticed that it happens with Android phones, and appears that it’s trying to reach Google IP’s.

karwos · September 6, 2017, 11:34pm

Add this rules
/ip firewall filter
add action=accept chain=pre-hs-input comment="Limit https unauth "
connection-state=new disabled=no dst-limit=1,1,src-address/1m40s dst-port=
64875 protocol=tcp
add action=reject chain=pre-hs-input connection-state=new disabled=no dst-port=
64875 protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=pre-hs-input comment=“limit http unauth”
connection-state=new disabled=no dst-limit=1,1,src-address/1m40s dst-port=
64874 protocol=tcp
add action=reject chain=pre-hs-input connection-state=new disabled=no dst-port=
64874 protocol=tcp reject-with=icmp-admin-prohibited

It will cap http/https auth request, and CPU usage will back to normal.
5.x compatible, not sure if 6.x will need some syntax changes.

Position this rules on top of others pre-hs-inpit rules

wfuzatto · September 7, 2017, 2:41am

Hi karwos,

I’ve tested on 6.x, it worked as it seems to be.

As soon this problem happen again I’ll test this rules and post a reply here.
Thanks!

freemannnn · September 7, 2017, 7:08am

i tested the above rules with hotspot login page.
when i click rapidly (F5) refresh in chrome at login page i can see that mikrotik cpu usage was 20-30%. the above rules didnt filter this.
when i was rapidly pressing a bookmark http link (http://www.imdb.com) at chrome the cpu usage was normal 5-10%. above rules was filtering my attempt.

paulct · September 7, 2017, 7:58am

Why are you running a hotspot on a switch? The switch should have limited firewall rules. All the natting and hotspot functionality should be on a router.

karwos · September 7, 2017, 9:09am

This rules was written for 5.x and well tested.
I remember there was some diffrence in time counting in 5.x not remember now.
Though, yiu can check rule counters, and see which rule didn’t hit the request ( did you moved these rules on top if chain ? (

freemannnn · September 7, 2017, 10:23am

yes i moved them at top.
the rules are working when you make multiple requests to login to hotspot. eg when you try to open a set of mupltiple bookmarks at once or when you click various bookmarks too fast.
thanx for this rule set.

wfuzatto · September 8, 2017, 6:32am

Hi paulct,

This is a work-in-progress system to control hotspot use and integration with hotel programs.
So I’m testing in various types of RouterOS based systems, such as CRS’s, RB’s and CCR’s.
This problem showed up ( until now ) on CRS’s site.

You can see more here:
user: trial
pass: trial
http://prodatastelecom.com.br/sites/mikrotik/airspot/