I am running v6.1 on an rb750. On my firewall connections I see lots of un-replied source ip’s with random port’s to the destination “my ip:53” with a corresponding cpu spike and slowed connection speeds. It seems that the source ip’s come in groups of 10 to 15 “as to defeat flood attack filters” with different ports. Is this some kind of attack on me or is someone leveraging my router in an attack on someone else? If so what can i do to mitigate the impact on cpu and increase connection speeds. This has been going on for the last 2 months so i would really appreciate any help.
Thanks in advance..
DNS amplification attack… Disable access to your DNS ports from the outside..
Worked like a charm!!
I used these rules
/ip firewall filter
add chain=input in-interface=wan1 protocol=udp dst-port=53 action=drop
add chain=forward protocol=udp dst-port=53 out-interface=!wan1 action=drop
Thank you very much…
If the router is acting as a firewall you should have a default “drop all” at the end of the forward chain and input chain. If you are having to add a specific drop on the input chain for DNS traffic then you probably have other potential security vulnerabilities.
The reason my router firewall did not drop this DNS traffic is because of this rule on my services chain:
-add chain=services comment=“Allow udp” protocol=udp
My next question is, in leaving this rule enabled does this leave me open to other types of malicious behavior.
If you are actually calling the services chain then yes it probably does.
Try uploading your complete firewall rules - and note my earlier comment about having default “drop all” rules in a firewall configuration. In a firewall configuration you generally want to only accept traffic explicitly and drop everything else. If you are solving a problem by creating a specific drop rule then that can be appropriate in a configuration of a unit operating predominantly in router mode but is most likely inappropriate for a unit operating predominantly in firewall mode.
here is my filter
/ip firewall filter
add action=drop chain=input comment=“Drop ping” in-interface=
“wan1” protocol=icmp
add action=drop chain=input comment=“Drop vpn” in-interface=
“wan1” port=1723 protocol=tcp
add action=jump chain=input comment=----------ip_blacklist----------
connection-limit=75,24 jump-target=ip_blacklist protocol=udp
add action=add-src-to-address-list address-list=ip_blacklist
address-list-timeout=1d chain=ip_blacklist protocol=udp
add action=log chain=ip_blacklist disabled=yes log-prefix=ip_blacklist
protocol=udp src-address-list=ip_blacklist
add action=drop chain=ip_blacklist src-address-list=ip_blacklist
add action=passthrough chain=ip_blacklist
add action=jump chain=input comment=
“----------drop ssh brute forcers----------” dst-port=22 jump-target=
ssh_brute_forcers protocol=tcp
add chain=ssh_brute_forcers content=“530 Login incorrect” dst-limit=
1/1m,9,dst-address/1m dst-port=22 protocol=tcp
add action=log chain=ssh_brute_forcers dst-port=22 log-prefix=
ssh_brute_forcers protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=ssh_brute_forcers connection-state=new
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=drop chain=ssh_brute_forcers connection-state=new
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=10h chain=ssh_brute_forcers connection-state=new
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=drop chain=ssh_brute_forcers connection-state=new
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=5d chain=ssh_brute_forcers connection-state=new
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=drop chain=ssh_brute_forcers connection-state=new
src-address-list=ssh_stage3
add action=passthrough chain=ssh_brute_forcers
add action=jump chain=input comment=
“----------drop ftp_bruteforcers----------” connection-mark=ftp_in
dst-port=21 jump-target=ftp_bruteforcers protocol=tcp
add chain=ftp_bruteforcers content=“530 Login incorrect” dst-limit=
1/1m,9,dst-address/1m dst-port=21 protocol=tcp
add action=log chain=ftp_bruteforcers dst-port=21 log-prefix=
“ftp brute forcers” protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_stage1
address-list-timeout=10m chain=ftp_bruteforcers content=
“530 Login incorrect” dst-port=21 protocol=tcp
add action=drop chain=ftp_bruteforcers src-address-list=ftp_stage1
add action=add-dst-to-address-list address-list=ftp_stage3
address-list-timeout=5d chain=ftp_bruteforcers content=
“530 Login incorrect” dst-port=21 protocol=tcp
add action=drop chain=ftp_bruteforcers src-address-list=ftp_stage3
add action=add-dst-to-address-list address-list=ftp_stage2
address-list-timeout=10h chain=ftp_bruteforcers content=
“530 Login incorrect” dst-port=21 protocol=tcp
add action=drop chain=ftp_bruteforcers src-address-list=ftp_stage2
add action=passthrough chain=ftp_bruteforcers
add action=jump chain=input comment=----------drop_port_scanners----------
jump-target=drop_scanners protocol=tcp
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=drop_scanners protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=
syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=
fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=drop_scanners log-prefix=port_scanners protocol=tcp
src-address-list=“port scanners”
add action=drop chain=drop_scanners protocol=tcp src-address-list=
“port scanners”
add action=passthrough chain=drop_scanners
add action=jump chain=input comment=“----------SYN-Flood Protect----------”
connection-limit=50,32 connection-state=new jump-target=
“SYN-Flood Protect” protocol=tcp
add chain=“accept tcp flags” connection-state=new limit=400,5 protocol=tcp
tcp-flags=syn
add action=add-src-to-address-list address-list=SYN-Protect
address-list-timeout=1d chain=“SYN-Flood Protect” connection-limit=42,32
protocol=tcp tcp-flags=syn
add action=log chain=“SYN-Flood Protect” log-prefix=“SYN-Flood Protect”
protocol=tcp src-address-list=SYN-Protect
add action=drop chain=“SYN-Flood Protect” connection-state=new protocol=tcp
src-address-list=SYN-Protect tcp-flags=syn
add action=passthrough chain=“SYN-Flood Protect”
add action=jump chain=input comment=
“----------DNS amplification attack Protection In----------” jump-target=
dnsamp
add action=drop chain=dnsamp dst-port=53 in-interface=
“wan1” protocol=udp
add action=drop chain=dnsamp dst-port=53 in-interface=
“wan1” protocol=tcp
add action=passthrough chain=dnsamp
add action=jump chain=forward comment=
“----------DNS amplification attack Protection Out----------”
jump-target=dnsampout
add action=drop chain=dnsampout dst-port=53 out-interface=
“!wan1” protocol=udp
add action=drop chain=dnsampout dst-port=53 out-interface=
“!wan1” protocol=tcp
add action=return chain=dnsampout
add action=jump chain=forward comment=----------isolation----------
jump-target=isolation
add action=drop chain=isolation dst-address-list=Security_Segment
in-interface=ether5-Hotspot
add action=drop chain=isolation dst-address-list=Operations_Segment
in-interface=ether5-Hotspot
add action=return chain=isolation
add action=jump chain=forward comment=
“----------jump to the virus chain----------” jump-target=virus
add action=drop chain=virus comment=“Drop Blaster Worm” dst-port=135-139
protocol=tcp
add action=drop chain=virus comment=“Drop Messenger Worm” dst-port=135-139
protocol=udp
add action=drop chain=virus comment=“Drop Blaster Worm” dst-port=445
protocol=tcp
add action=drop chain=virus comment=“Drop Blaster Worm” dst-port=445
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom” dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment=“ndm requester” dst-port=1363 protocol=
tcp
add action=drop chain=virus comment=“ndm server” dst-port=1364 protocol=tcp
add action=drop chain=virus comment=“screen cast” dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment=“Bagle Virus” dst-port=2745 protocol=tcp
add action=drop chain=virus comment=“Drop Dumaru.Y” dst-port=2283 protocol=
tcp
add action=drop chain=virus comment=“Drop Beagle” dst-port=2535 protocol=tcp
add action=drop chain=virus comment=“Drop Beagle.C-K” dst-port=2745 protocol=
tcp
add action=drop chain=virus comment=“Drop MyDoom” dst-port=3127-3128
protocol=tcp
add action=drop chain=virus comment=“Drop Backdoor OptixPro” dst-port=3410
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment=“Drop Sasser” dst-port=5554 protocol=tcp
add action=drop chain=virus comment=“Drop Beagle.B” dst-port=8866 protocol=
tcp
add action=drop chain=virus comment=“Drop Dabber.A-B” dst-port=9898 protocol=
tcp
add action=drop chain=virus comment=“Drop Dumaru.Y” dst-port=10000 protocol=
tcp
add action=drop chain=virus comment=“Drop MyDoom.B” dst-port=10080 protocol=
tcp
add action=drop chain=virus comment=“Drop NetBus” dst-port=12345 protocol=tcp
add action=drop chain=virus comment=“Drop Kuang2” dst-port=17300 protocol=tcp
add action=drop chain=virus comment=“Drop SubSeven” dst-port=27374 protocol=
tcp
add action=drop chain=virus comment=“Drop PhatBot, Agobot, Gaobot” dst-port=
65506 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=12667 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=31846 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=tcp
add action=drop chain=virus comment=“2869 UPNP” dst-port=2869 protocol=tcp
add action=drop chain=virus comment=“2869 UPNP” dst-port=2869 protocol=udp
add action=drop chain=virus comment=“Anti NETBIOS” protocol=tcp src-port=
135-139
add action=drop chain=virus protocol=udp src-port=135-139
add action=drop chain=virus dst-port=135-139 protocol=tcp
add action=drop chain=virus dst-port=135-139 protocol=udp
add action=drop chain=virus dst-port=445 protocol=tcp
add action=drop chain=virus protocol=udp src-port=445
add action=drop chain=virus dst-port=445 protocol=udp
add action=log chain=virus disabled=yes log-prefix=virus
add action=return chain=virus
add action=jump chain=forward comment=
“----------Allow 3-way handshake----------” jump-target=tcpflags
protocol=tcp
add chain=tcpflags connection-state=new protocol=tcp tcp-flags=syn
add chain=tcpflags protocol=tcp tcp-flags=syn,ack
add chain=tcpflags connection-state=new protocol=tcp tcp-flags=ack
add chain=tcpflags protocol=tcp tcp-flags=fin,ack
add chain=tcpflags connection-state=new protocol=tcp tcp-flags=urg
add action=return chain=tcpflags
add action=jump chain=forward comment=
“----------Allow/Drop Connection State----------” jump-target=connections
add chain=connections connection-state=established
add action=drop chain=connections connection-state=invalid
add action=return chain=connections
add action=jump chain=forward comment=
“----------jump to chain ICMP----------” jump-target=ICMP protocol=icmp
add chain=ICMP comment=“0:0 and limit for 5pac/s” icmp-options=0 limit=5,5
protocol=icmp
add chain=ICMP comment=“3:3 and limit for 5pac/s” icmp-options=3:3 limit=5,5
protocol=icmp
add chain=ICMP comment=“3:4 and limit for 5pac/s” icmp-options=3:4 limit=5,5
protocol=icmp
add chain=ICMP comment=“8:0 and limit for 5pac/s” icmp-options=8 limit=5,5
protocol=icmp
add chain=ICMP comment=“11:0 and limit for 5pac/s” icmp-options=11 limit=5,5
protocol=icmp
add action=return chain=ICMP
add action=jump chain=forward comment=
“----------jump to chain services----------” jump-target=services
add chain=services comment=“Allow MACwinbox " dst-port=20561 protocol=udp
add chain=connections connection-state=related
add chain=services comment=” MT Discovery Protocol" dst-port=5678 protocol=
udp
add chain=services comment=“Allow SNMP” dst-port=161 protocol=udp
add chain=services comment=“Allow BGP” dst-port=179 protocol=tcp
add chain=services comment=“Allow SIP” dst-port=5000-5100 protocol=udp
add chain=services comment=“Allow NTP” dst-port=123 protocol=udp
add chain=services comment=“Allow PPTP” dst-port=1723 protocol=tcp
add chain=services comment=“Allow PPTP and EoIP” protocol=gre
add chain=services comment=“Allow UPnP” dst-port=1900 protocol=udp
add chain=services comment=“Allow UPnP” dst-port=5000 protocol=tcp
add chain=services comment=“Allow DHCP” dst-port=67-68 protocol=udp
add chain=services comment=“Allow SMTP” dst-port=25 protocol=tcp
add chain=services comment=“Allow udp” protocol=udp
add chain=services comment=“Allow Dude” src-mac-address=00:00:00:00:00:00
add action=log chain=forward comment=“Drop Everything Else” log-prefix=
“Drop Everything Else”
add action=drop chain=forward comment=“drop the rest”
On a rapid scan through the rules I didn’t see a default drop rule at the end of your input chain.
Thanks for taking a look but the drop everything rule is the very last rule on my filter.
add action=drop chain=forward comment=“drop the rest”
I thought i would have been covered with this “Drop the rest” rule added at the end of my filter list on the forward chain?
If not can you please explain because I am obviously missing something her?
Thank you for your patience.
You need to have a “drop the rest” rule on both the input and forward chains.
Thank you for the info.
I have since added this to my filter
add action=jump chain=input comment=
“----------jump to chain services input----------” jump-target=
services_input
add chain=services_input comment="Allow MACwinbox " dst-port=20561 protocol=
udp
add chain=services_input comment="Allow Winbox " connection-mark=wnbx_in
add chain=services_input comment=“Allow SNMP” dst-port=161 protocol=udp
add chain=services_input comment=“Allow PPTP” dst-port=1723 protocol=tcp
add chain=services_input comment=“Allow NTP” connection-mark=ntp_in
add chain=services_input comment=“Allow UPnP” dst-port=1900 protocol=udp
add chain=services_input comment=“Allow DHCP” connection-mark=dhcp_in
add chain=services_input comment=com_in packet-mark=com_in
add chain=services_input comment=https_in packet-mark=https_in
add chain=services_input comment=http_in packet-mark=http_in
add chain=services_input comment=dwn_in packet-mark=dwn_in
add chain=services_input comment=other_in packet-mark=other_in
add chain=services_input comment=p2p_in packet-mark=p2p_in
add chain=services_input comment=mnet_in packet-mark=mnet_in
add chain=services_input comment=ur_in packet-mark=ur_in
add chain=services_input comment=“Allow DNS L-7” layer7-protocol=dns
add action=log chain=services_input disabled=yes log-prefix=
input_drop_the_rest
add action=drop chain=services_input comment=“Drop the rest”
And removed the the “DNS amplification attack Protection” rules.
All seems to working so far. If you see anything I might have missed please let me know…
One last thing… There does not seem to be data collecting on this chain:
add chain=services_input comment=https_in packet-mark=https_in
I do not see any dropped https traffic but I can see https traffic on firewall connections.
Any ideas?
How do you “translate” into MT firewall this rule:
iptables -I FORWARD -p udp -m string --hex-string "|00000000000103697363036f726700|" --algo bm --to 65535 --dport 53 -j DROP
?