I received 2 emails in 2 days.
I consulted my friends and they said, I have to add some firewall rules to my microtik to avoid this issue.
I use google DNS.
So, what rules to add to microtik ?
Default firewall configuration would be sufficient.
but basically you should restrict connection-state=new in-interface=Public connections, all of them (except ones that you need)
Sorry, Im new to microtik and I dont want to touch anything inside winbox, unless I know, what Im doing.
Can you exactly point what to add ?
Add this to terminal ,
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether8 protocol=udp ??
…but somehow you did delete the default configuration…
If your ip firewall filter input is clear you shoud replace ether1-gateway with your interface name and paste these rules
/ip firewall filter
add chain=input action=accept protocol=icmp comment="default configuration"
add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration"
add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration"
add chain=input action=drop in-interface=ether1-gateway comment="default configuration"
This will restrict all connections from outside,except ping.
But this will drop the DNS requests completely.
I think, we need to add one more rule to redirect the requests ?
Or did I miss something ?
I think, we only need to stop DNS requests at WAN interface, and make sure, people use my defined DNS only.
is that right ?
Nop, it will only drop new requests, don’t forget that your requests will be initiated by router itself so replies to those will return as connection-state=established
Then Im confused what exactly to add to stop this behavior in future.
Macgaiver already posted what you need to add:
http://forum.mikrotik.com/t/open-recursive-resolver-dns-attack-what-firewall-to-add-to-fix/92843/5
Those rules allow established connections from LAN and block all requests from WAN
Okay my WAN in NAS Router (Microtik CCR1009) is ether8.
So, I need to paste this,
/ip firewall filter
add chain=input action=accept protocol=icmp comment=“default configuration”
add chain=input action=accept connection-state=established in-interface=ether8 comment=“default configuration”
add chain=input action=accept connection-state=related in-interface=ether8 comment=“default configuration”
add chain=input action=drop in-interface=ether8 comment=“default configuration”
Is that correct ?
The network is live with 320 online users.
Sure, this wont break the connection ?
I will paste the code to terminal then.
Im 500 miles away from my core office.
User traffics goes through forward - this is input, it affects only traffic to router itself.
I really suggest to get some training or hire some consultant.
yes, already enrolled the Microtik training in our country.
Okay added.
One issue came after this.
The winbox and web both are not accessible from the outside network after this rule.
So, I had to switch off the drop firewall rule.
you have to add accept rules specifically for winbox (protocol=tcp dst-port=8291) i do not suggest to allow access to web config from outside, use winbox.
Place that rule before the last drop
So first remove the drop firewall and then run this,
add chain=input action=accept protocol=tcp dst-port=8291 in-interface=ether8 comment=“default configuration”
add chain=input action=drop in-interface=ether8 comment=“default configuration”
Correct ?
Got the email again, but its for an IP which is no where in the network, but as a block only.
You appear to be running an open recursive resolver at IP address 103.194.232.65 that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.
Please consider reconfiguring your resolver in one or more of these ways:
- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in “allow-query”; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in “allow-query” for the server overall but setting “allow-query” to “any” for each zone)
- To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)
You can see the IP is as a block and not even used.
Then how come ?
Something is weird.
I got this email for all of my IP blocks start IP address.
Which is not used anywhere.
How is it possible ?
Looks like spam to me. I would ignore such emails, especially if they are not true.