i setup a hotspot wireless server. All of the customers using username and password login to the net.
my problem is:
Anonymous users always Refresh the login page,or make a web DDOS(i could see from firewall-connection when attack happened),it cause my routerboard cpu very high > 90%!
My client is not fixed users,i could not using hotspot-ip bindings->blocked function!
great thx!!!
Perhaps you can switch to PPPoE (if there is no problem to configure PPPoE client on every current client), then non-authorized user will not be able to get access to the network at all.
thanks sergejs ,
We know through MUM China.
There is too much problem to confirgure PPPOE client on every current client ,because wireless clients are public anonymous users(NON fixed PC,only check username & password).
could RouterOS improve HotSpot safety in the next upgrade? OR give me some useful configuration???
Maybe try limiting the number of connections for unauthenticated clients in the pre-hs-input chain. To only give each unauthenticated client 20 connections at a time:
/ip firewall filter
add chain=pre-hs-input hotspot=!auth connection-limit=20,32 action=drop
i’m sorry ,your configuration does not work well! you could setup a hotspot then refresh the login page with high frequency(just press F5) as an attack!!
From your original post:
i could see from firewall-connection when attack happened
If you can see excessive connections in the firewall connection table, limit the number of connections. If there’s not an excessive number of connections during the perceived attack that won’t work.
The real problem is differentiating between malice and this situation just occurring without the user even knowing what he’s doing. Most of those widgets that Windows 7 and Vista show in the sidebar, for example, pull data from the Internet, usually via HTTP. So if an unauthenticated user has 10 widgets open that each refresh every 30 seconds, you’ll see a lot of hits on the login page as all that traffic will be redirected to the login page as it’s impossible for the router to determine whether an HTTP request comes from such a widget or a browser interactively used by the user.
I know the real problem is my clients PC infected with virus, and clients are not login to HOTSPOT , virus make Web DDOS to another WebSite, but RouterOS HotSpot did not know , HotSpot still redirect login page to the clients ,so cpu getting very high ,
i think if we could limit the redirect times,we could solve this problem! how to do this well? you know that in RouterOS Hotspot all unauthorized data is putted into a new chain…But i have tried all the chains ,it still didn’t work well!
Hello,
I think you can combine fewi post with this:
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP_%26_SSH)
Please give me the right answer! See , My TOPIC is “hotspot server is attacked by Non-authenticated users”
you just setup a simple hotspot ,then not login ,just press F5 to refresh the login page ,watch your CPU useage! if your configuration is good ,the cpu useage is lower than 50% or not ,your cpu useage up to >>60%
maozilee, you can try to implement the idea of additional AP.
One wireless AP is installed on router, you can create additional virtual AP. Payed customers use one AP (with security settings WPA/WPA2), free AP with HotSpot is another interface for all other clients.
What kind of router do you have for HotSpot server?
We have tried to reproduce 100% CPU, it was not so easy to get it (moreover router should handle 100% CPU for opening login page all the time without a problem).
Thank you sergejs. My RouterBoard iis 433AH with R52 miniPCI. it is really good that RB can handle 100% CPU for opening login page all the time without a problem. Many of the attack problems from intranet is not F5 fresh login page problem but from virus attack which make Web DDOS to other WebSite through RouterOS ,HotSpot redirect login page to the clients made cpu getting very high .
I want solve this problem completely, because i could solve it mannually. First watch connections from firewall-connections ,find the attack src-address ,find the MAC address in hotspot HOST_TABLE, then put mac into hotspot blocked list! Well DONE.
I want make RouterOS do it automatically! Sergejs,what do you think? Is it possible?
I want solve this problem completely, because i could solve it mannually. First watch connections from firewall-connections ,find the attack src-address ,find the MAC address in hotspot HOST_TABLE, then put mac into hotspot blocked list! Well DONE.
There is no automatic function for the described operation.
Look above for the second solution, when different APs are used for authorized and non-authorized clients.
How many redirects is your hotspot doing per second?
Look at the rule in hs-unauth chain that looks like this:
dst-port=80
action=redirect
to-ports=64874
Also at the one for port 443.
Perhaps you can put a static rule at the top of the chain that only allows so many new requests per source ip per second/minute
How many connections do you see listed under:
IP - Web Proxy - Connections