IKEV2 IPSEC breach attempts

RouterOS General
1

I have been monitoring my Mikrotik for 1 month and I have been trying to solve some ipsec violation issues.

However, I have noticed that there is a new type of ipsec attack that I have implemented in my system. The ways I have to detect changes are not enough to restrict this type of attack. I would like to know if anyone has already verified this type of attack attempt and if it is possible to mitigate it.

Firewall rules:

# oct/18/2024 22:04:05 by RouterOS 6.49.13
# software id = XHA8-7FTF
#
# model = RB760iGS
# serial number = D4500E762A6B
/ip firewall layer7-protocol
add comment=SOLUCAO1 name=CVE-2023-28771 regexp="\";bash -c \\\"curl [0-9]+\\\
    \\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\t \\\\| sh\\\";echo -n\""
add comment=SOLUCAO2 name=CVE-2023-28771-2 regexp=\
    "\";bash -c \"curl [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]"
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=10.80.88.0/24 list=permitidos
add address=192.168.1.0/24 list=permitidos
add address=10.80.80.0/24 comment="Desabilitado para analise" disabled=yes \
    list=permitidos
add address=8.8.4.4 comment=GOOGLE list=DNS
add address=1.1.1.1 comment=CLOUDFLARE list=DNS
add address=8.8.8.8 comment=GOOGLE list=DNS
/ip firewall filter
add action=reject chain=input comment="Ping Mikrotik" protocol=icmp \
    reject-with=icmp-network-unreachable src-address-list=!permitidos
add action=drop chain=input comment="Violou a porta" src-address-list=violou
add action=add-src-to-address-list address-list=violou address-list-timeout=\
    none-dynamic chain=input comment="Violou a porta TCP" connection-state=\
    new dst-port=!81 in-interface=ether2 protocol=tcp src-address-list=\
    !permitidos
add action=drop chain=input comment="Drop winbox brute forcers" dst-port=81 \
    protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=3w4d chain=input connection-state=new dst-port=81 \
    protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=81 \
    protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=81 \
    in-interface=ether2 protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Drop ssh brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=3w4d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=input connection-state=new dst-port=22 \
    in-interface=ether2 protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=input content="530 Login incorrect" \
    protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Solu\E7\E3o: https://packetstormsecurity.\
    com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Exec\
    ution.html" dst-port="" layer7-protocol=CVE-2023-28771-2 protocol=udp
add action=accept chain=input comment="Permitir conex\F5es IPSEC/IKE2" \
    dst-port=500,4500 protocol=udp src-port=""
add action=accept chain=forward comment="Aceitar pol\EDtica em IPSEC" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "Aceitar a pol\EDtica IPSEC - Saida de banda pela Mikrotik" ipsec-policy=\
    out,ipsec
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1h chain=input comment="Scanner de portas" protocol=\
    tcp psd=21,3s,3,1
add action=drop chain=forward in-interface=ether2 src-address-list=\
    port_scanners
add action=jump chain=forward comment="Protect DDOS em ether2" \
    connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,48,src-and-dst-addresses/10s
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=30m chain=detect-ddos
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=30m chain=detect-ddos
add action=log chain=detect-ddos log-prefix="DDoS Detected: " \
    src-address-list=ddos-attackers
add action=reject chain=input comment="Pacotes Inv\E1lidos" connection-state=\
    invalid reject-with=icmp-network-unreachable
add action=log chain=forward comment="SPAMMERS LOG" log-prefix=SMTP \
    src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
    10m chain=forward comment="AntiSPAM o AntiWORM" connection-limit=20,32 \
    dst-port=465 protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
    10m chain=forward connection-limit=20,32 dst-port=25 protocol=tcp
add action=drop chain=forward dst-port=465 protocol=tcp src-address-list=\
    spammer
add action=drop chain=forward dst-port=25 protocol=tcp src-address-list=\
    spammer
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=input comment="SYN Flood protect" \
    connection-limit=400,32 protocol=tcp
add action=tarpit chain=input comment="SYN Flood protect" connection-limit=\
    3,32 protocol=tcp src-address-list=blocked-addr
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
    new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect comment="SYN Flood protect" \
    connection-state=new limit=400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment="SYN Flood protect" \
    connection-state=new protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Link 2" out-interface=ether2
/ip firewall raw
add action=drop chain=prerouting comment=Anti-ddos dst-address-list=\
    ddos-targets src-address-list=ddos-attackers
add action=drop chain=prerouting comment=\
    "https://research-scan.sysnet.ucsd.edu/: 169.228.66.212" src-address=\
    169.228.66.212
add action=drop chain=output comment="Bloquear o tr\E1fego de sa\EDda" \
    src-address=169.228.66.212
add action=drop chain=prerouting comment="Clientes inadimplente" \
    src-address-list=Bloqueado
add action=drop chain=prerouting comment="Firewall para clientes banda larga" \
    protocol=udp src-port=19,25,1900,11211
add action=drop chain=prerouting protocol=tcp src-port=19,25,1900,11211
add action=drop chain=prerouting dst-port=19,25,1900,11211 protocol=udp
add action=drop chain=prerouting dst-port=19,25,1900,11211 protocol=tcp

Captura de tela 2024-10-18 220142.png

2

According to these logs has the network been compromised?

oct/22 23:40:17 ipsec,debug Analise: ===== received 336 bytes from 206.168.34.221[45066] to 192.168.1.10[500]
oct/22 23:40:17 ipsec,debug,packet Analise: 9d100388 45307daa 00000000 00000000 01100200 00000000 00000150 00000134
oct/22 23:40:17 ipsec,debug,packet Analise: 00000001 00000001 00000128 01010008 03000024 01010000 80010005 80020002
oct/22 23:40:17 ipsec,debug,packet Analise: 80030001 80040001 800b0001 000c0004 00000100 03000024 02010000 80010005
oct/22 23:40:17 ipsec,debug,packet Analise: 80020002 80030001 80040002 800b0001 000c0004 00000100 03000024 03010000
oct/22 23:40:17 ipsec,debug,packet Analise: 80010005 80020001 80030001 80040001 800b0001 000c0004 00000100 03000024
oct/22 23:40:17 ipsec,debug,packet Analise: 04010000 80010005 80020001 80030001 80040002 800b0001 000c0004 00000100
oct/22 23:40:17 ipsec,debug,packet Analise: 03000024 05010000 80010001 80020001 80030001 80040001 800b0001 000c0004
oct/22 23:40:17 ipsec,debug,packet Analise: 00000100 03000024 06010000 80010001 80020001 80030001 80040002 800b0001
oct/22 23:40:17 ipsec,debug,packet Analise: 000c0004 00000100 03000024 07010000 80010001 80020002 80030001 80040001
oct/22 23:40:17 ipsec,debug,packet Analise: 800b0001 000c0004 00000100 00000024 08010000 80010001 80020002 80030001
oct/22 23:40:17 ipsec,debug,packet Analise: 80040002 800b0001 000c0004 00000100
oct/22 23:40:20 ipsec,debug Analise: ===== received 392 bytes from 206.168.34.221[37374] to 192.168.1.10[500]
oct/22 23:40:20 ipsec,debug,packet Analise: 0b5948b1 181c7ed1 00000000 00000000 21202208 00000000 00000188 220000ec
oct/22 23:40:20 ipsec,debug,packet Analise: 000000e8 0101001c 03000008 01000001 03000008 01000002 03000008 01000003
oct/22 23:40:20 ipsec,debug,packet Analise: 03000008 01000004 03000008 01000006 03000008 01000007 03000008 01000008
oct/22 23:40:20 ipsec,debug,packet Analise: 03000008 01000009 03000008 0100000b 03000008 0100000c 03000008 0100000d
oct/22 23:40:20 ipsec,debug,packet Analise: 03000008 02000001 03000008 02000002 03000008 03000000 03000008 03000001
oct/22 23:40:20 ipsec,debug,packet Analise: 03000008 03000002 03000008 03000003 03000008 03000004 03000008 03000005
oct/22 23:40:20 ipsec,debug,packet Analise: 03000008 04000000 03000008 04000001 03000008 04000002 03000008 04000005
oct/22 23:40:20 ipsec,debug,packet Analise: 03000008 0400000e 03000008 0400000f 03000008 04000010 03000008 04000011
oct/22 23:40:20 ipsec,debug,packet Analise: 00000008 04000012 28000068 00010000 ffffffff ffffffff c90fdaa2 2168c234
oct/22 23:40:20 ipsec,debug,packet Analise: c4c6628b 80dc1cd1 29024e08 8a67cc74 020bbea6 3b139b22 514a0879 8e3404dd
oct/22 23:40:20 ipsec,debug,packet Analise: ef9519b3 cd3a431b 302b0a6d f25f1437 4fe1356d 6d51c245 e485b576 625e7ec6
oct/22 23:40:20 ipsec,debug,packet Analise: f44c42e9 a63a3620 ffffffff ffffffff 00000018 0db607de 58a949aa b25e1edd
oct/22 23:40:20 ipsec,debug,packet Analise: a913cde5 756cf400
oct/22 23:40:20 ipsec,debug Analise: unknown enc: #1
oct/22 23:40:20 ipsec,debug Analise: unknown enc: #4
oct/22 23:40:20 ipsec,debug Analise: unknown enc: #6
oct/22 23:40:20 ipsec,debug Analise: unknown enc: #8
oct/22 23:40:20 ipsec,debug Analise: unknown enc: #9
oct/22 23:40:20 ipsec,debug Analise: unknown enc: #12
oct/22 23:40:20 ipsec,debug Analise: unknown enc: #13
oct/22 23:40:20 ipsec,debug Analise: unknown auth: #3
oct/22 23:40:20 ipsec,debug Analise: unknown auth: #4
oct/22 23:40:20 ipsec,debug Analise: unknown auth: #5
oct/22 23:40:20 ipsec,debug Analise: unknown DH group: #0
oct/22 23:40:20 ipsec,debug Analise: => (size 0x8)
oct/22 23:40:20 ipsec,debug Analise: 00000008 0000000e
oct/22 23:40:20 ipsec,debug Analise: ===== sending 36 bytes from 192.168.1.10[500] to 206.168.34.221[37374]
oct/22 23:40:20 ipsec,debug Analise: 1 times of 36 bytes message will be sent to 206.168.34.221[37374]
oct/22 23:40:20 ipsec,debug,packet Analise: 0b5948b1 181c7ed1 00000000 00000000 29202220 00000000 00000024 00000008
oct/22 23:40:20 ipsec,debug,packet Analise: 0000000e

3

It seems that it is an attack that exploits some vulnerability in some particular IPsec stack (DH group 0 looks strange and only unknown encodings in the proposal seem strange too). This log is insufficient to determine whether the device got compromised or not, but if all the attacker gets in response is just a NOTIFY message saying “NO_PROPOSAL_CHOSEN” in Phase 1, I would stay calm.

4

Thank you. I have been looking into these issues and reporting them to the community to see if they are something that can be treated or is known. Vulnerabilities of this type are very serious and can doom any network and even many devices that are behind my Mikrotik. I am interested in installing a Firewall and a WAF to have greater control over the monitoring of my network, since it is currently exposed to the internet. Nowadays, I no longer think it is feasible to install a VPN on a Mikrotik without having a good monitoring solution.
I will continue monitoring and if I have more relevant logs, I will continue to publish them in the community.