hello anyone, have you ever experienced possible SYN flooding on tcp port 64872 and port 64875? Why does this happen and what is the problem?
Hello, Yes, there have been 64871-90…and even more. In my case, there was a Syn dos flood. The client complained that the data channel was being loaded, although no data was sent from the client side. How did I solve the problem?
- at the end of the firewall Input section, the rules that ‘‘drop all’’ were not correctly specified. There were no such entries at all
- in the forward section there were only ''estabilished,related ‘’ and drop invalid connect
- I fixed these entries and added additional ‘‘Input’’ chain rules that protect against SYN flood
- I added 2 entries (tcp&udp) to the ‘‘input’’ chain section that allow DNS only from the LAN
- in the IP-services section, disable port 80 so that there is no access from the outside world
Maybe some of this information is useful to you…https://wiki.mikrotik.com/Manual:Securing_Your_Router
Normally not an issue post your config.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)
“I have the same problem. When I see this log, after a short while the MikroTik hotspot page becomes inaccessible. I’d appreciate your help.”
Did you read my post above...............
1 Like
Yes, I read it and added the following rules.
Thank you very much for your reply.
chain=input action=add-src-to-address-list
tcp-flags=syn connection-limit=120,32 protocol=tcp
address-list=SYN_Attackers address-list-timeout=10m
log=no log-prefix=""
chain=input action=drop src-address-list=SYN_Attackers
log=no log-prefix=""
chain=input action=accept tcp-flags=syn protocol=tcp
limit=50,10:packet log=no log-prefix=""
chain=input action=drop tcp-flags=syn protocol=tcp
log=no log-prefix=""
chain=input action=accept protocol=tcp
src-address=10.10.12.0/24 dst-port=53 log=no
log-prefix=""
chain=input action=accept protocol=udp
src-address=10.10.12.0/24 dst-port=53 log=no
log-prefix=""
;;; Allow established/related
chain=forward action=accept
connection-state=established,related log=no
log-prefix=""
;;; Drop invalid connections
chain=forward action=drop connection-state=invalid
log=no log-prefix=""
;;; Allow established input
chain=input action=accept
connection-state=established,related
;;; Drop all other input
chain=input action=drop
I also disabled service port 80.
I’d appreciate it if you could give me any further advice.
How do you expect us to give you advice?
Until knowing your settings all is in vain.
1 Like
Another new poster, that could have benefited from being sandboxed, prior to posting. Its sad that MT and company dont want to help these folk have a meaningful experience here.
1 Like
There's no way.
"Let me see under the hood of the car" is not tolerated here.
The car won't start. Why? I've already been to the barber and fed the cat.
The new users want an answer right away without waiting and without anyone checking the config,
without enabling anyone on the forum to understand how things are so they can try to help.
We know the symptoms and outcome, its up to MT to wake up and implement a solution.
1 Like
Unfortunately, since I’m a new user, I don’t have permission to upload the configuration.
Please let me know where I can upload it so that you can download it more easily, or if I should send it by email.
Many thanks to user @anav — I’ve read several of your posts about flooding, and they gave me a good perspective.
Just put it in the post and tag witch code tags using "< / >" button
You do not upload the file, you just open it as simple text file and put on post between ```RouuterOS ```.
Example:
```RouterOS
<paste export here after removing serial number, passwords and usernames, if any>
```
You cut RouterOS version and RouterBOARD model.
The firewall is a mess (better, is a s~~t).
There are not defined WAN/LAN group and all default rules are missing,
also what is normally doed with address lists, is the same check again, again, again, again, again, again, again, again, again, again, again, again, again, again, and again and etc.
This rule accept all TCP traffic, regardless of anything.
add action=accept chain=input limit=50,10:packet protocol=tcp tcp-flags=syn
so this rules are useless, because the previous accept ALL from ALL from ALL ports.
add action=accept chain=input dst-port=53 protocol=tcp src-address=10.10.12.0/24
add action=drop chain=input dst-port=53 protocol=tcp
I do not want check more. This setup makes me want to v~~~t.
The only thing this rule does in the event of a DDoS attack is facilitate the attack, in fact it fills the router's memory quickly until it crashes and reboots.
add action=add-src-to-address-list address-list=SYN_Attackers address-list-timeout=10m chain=input connection-limit=120,32 protocol=tcp tcp-flags=syn
And about the config, is FULL of missing items and references.
ca-cert=*3
interface=*F041
interface=*3
interface=*4
interface=*F030
certificate=*9
target=*F2FA2C
target=*F3E241
target=*F443DC
target=*F2DC13
target=*F5ADFE
target=*F38A31
target=*F0AB5A
set *1
set *2
set *3
set *4
set *5
set *6
set *7
set *8
set *9
set *A
set *B
set *C
set *D
set *E
set *F
set *10
Concur, it is a dogs breakfast of a config.
Its best if you explain what you are trying to accomplish here and what you are afraid of..........
It would appear you are providing internet to many users? Is this an apartment building, home, coffee shop etc.....
“I didn’t configure this MikroTik, but I cleared all the rules and only these rules are present. The 10.10.12.0/24 range represents my internal users, and the MikroTik is for a small company.
Mikrotik Version 7.19.4 X86
1 chain=input action=accept tcp-flags=syn connection-state=new protocol=tcp dst-port=64872,64873,64874,64875
dst-limit=200,1,src-address/1m40s log=no log-prefix="SYN-DETECT: "
2 ;;; DETECT offenders (over limit)
chain=input action=add-src-to-address-list tcp-flags=syn connection-state=new protocol=tcp
address-list=Syn-flooders-tcp address-list-timeout=20s dst-port=64872,64873,64874,64875 log=yes
log-prefix="SYN-DET: "
3 ;;; DROP SYN offenders
chain=input action=tarpit protocol=tcp src-address-list=Syn-flooders-tcp log=yes log-prefix="SYN-DROP: "
4 chain=input action=accept protocol=tcp src-address=10.10.12.0/24 dst-port=53 log=no log-prefix=""
5 chain=input action=accept protocol=udp src-address=10.10.12.0/24 dst-port=53 log=no log-prefix=""
6 chain=input action=drop protocol=udp dst-port=53 log=no log-prefix=""
7 chain=input action=drop protocol=tcp dst-port=53 log=no log-prefix=""
8 chain=output action=accept dst-address=192.168.44.93 log=no log-prefix=""
9 chain=input action=accept src-address=192.168.44.93 log=no log-prefix=""
10 chain=input action=accept protocol=udp dst-port=53 log=no log-prefix=""
11 chain=forward action=accept protocol=udp dst-address=172.16.200.5 dst-port=53 log=no log-prefix=""
12 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
13 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth
14 D chain=input action=jump jump-target=hs-input hotspot=from-client
15 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875
16 D chain=hs-input action=jump jump-target=pre-hs-input
17 D chain=hs-input action=accept protocol=udp dst-port=64872
18 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875
19 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
20 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
21 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
22 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
23 ;;; Allow established/related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
24 ;;; Drop invalid connections
chain=forward action=drop connection-state=invalid log=no log-prefix=""
/interface bridge
add name=bridge1
/ip hotspot profile
add dns-name=sarigading.com hotspot-address=10.5.50.1 html-directory=
hotspotGading login-by=http-pap,mac-cookie name=hsprof1
/ip hotspot user profile
set \[ find default=yes \] keepalive-timeout=3d shared-users=unlimited
add idle-timeout=3d !keepalive-timeout name=Guest rate-limit=25m/25m
shared-users=unlimited
add idle-timeout=3d !keepalive-timeout name=Staff rate-limit=10m/10m
shared-users=unlimited
/ip pool
add name=hs-pool-4 ranges=10.5.50.2-10.5.50.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=hs-pool-4 interface=ether3 lease-time=3d name=dhcp1
add address-pool=dhcp_pool1 interface=bridge1 lease-time=3d name=dhcp2
/ip hotspot
add address-pool=hs-pool-4 disabled=no idle-timeout=none interface=ether3
name=hotspot1 profile=hsprof1
/port
set 0 name=serial0
/routing table
add comment="PCC Route to ISP-1" fib name=to-ISP-1
add comment="PCC Route to ISP-2" fib name=to-ISP-2
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=10.5.50.1/24 interface=ether3 network=10.5.50.0
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add add-default-route=no default-route-tables=main interface=ether1
add add-default-route=no default-route-tables=main interface=ether2
/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" gateway=10.5.50.1
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers="203.142.82.222,203.142.84.222,202.58.20
3.203,202.58.203.202,8.8.8.8,8.8.4.4"
/ip firewall address-list
add address=192.168.0.0/16 comment="Local IPs or Private IPs (RFC1918)" list=
LOCAL-IP
add address=172.16.0.0/12 list=LOCAL-IP
add address=10.0.0.0/8 list=LOCAL-IP
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
/ip firewall mangle
add action=accept chain=prerouting comment="// LOCAL TRAFFIC BYPASS"
dst-address-list=LOCAL-IP src-address-list=LOCAL-IP
add action=accept chain=postrouting dst-address-list=LOCAL-IP
src-address-list=LOCAL-IP
add action=accept chain=forward dst-address-list=LOCAL-IP src-address-list=
LOCAL-IP
add action=accept chain=input dst-address-list=LOCAL-IP src-address-list=
LOCAL-IP
add action=accept chain=output dst-address-list=LOCAL-IP src-address-list=
LOCAL-IP
add action=mark-connection chain=input comment="// PCC LOAD BALANCING"
in-interface=ether1 new-connection-mark=ISP-1-conn
add action=mark-connection chain=input in-interface=ether2
new-connection-mark=ISP-2-conn
add action=mark-routing chain=output connection-mark=ISP-1-conn
new-routing-mark=to-ISP-1
add action=mark-routing chain=output connection-mark=ISP-2-conn
new-routing-mark=to-ISP-2
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-1-conn
per-connection-classifier=both-addresses-and-ports:15/0 src-address-list=
LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-1-conn
per-connection-classifier=both-addresses-and-ports:15/1 src-address-list=
LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-1-conn
per-connection-classifier=both-addresses-and-ports:15/2 src-address-list=
LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-1-conn
per-connection-classifier=both-addresses-and-ports:15/3 src-address-list=
LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-1-conn
per-connection-classifier=both-addresses-and-ports:15/4 src-address-list=
LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-1-conn
per-connection-classifier=both-addresses-and-ports:15/5 src-address-list=
LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-1-conn
per-connection-classifier=both-addresses-and-ports:15/6 src-address-list=
LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-1-conn
per-connection-classifier=both-addresses-and-ports:15/7 src-address-list=
LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-2-conn
per-connection-classifier=both-addresses-and-ports:15/8 src-address-list=
LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-2-conn
per-connection-classifier=both-addresses-and-ports:15/9 src-address-list=
LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-2-conn
per-connection-classifier=both-addresses-and-ports:15/10
src-address-list=LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-2-conn
per-connection-classifier=both-addresses-and-ports:15/11
src-address-list=LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-2-conn
per-connection-classifier=both-addresses-and-ports:15/12
src-address-list=LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-2-conn
per-connection-classifier=both-addresses-and-ports:15/13
src-address-list=LOCAL-IP
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP
dst-address-type=!local new-connection-mark=ISP-2-conn
per-connection-classifier=both-addresses-and-ports:15/14
src-address-list=LOCAL-IP
add action=mark-routing chain=prerouting connection-mark=ISP-1-conn
dst-address-list=!LOCAL-IP new-routing-mark=to-ISP-1 src-address-list=
LOCAL-IP
add action=mark-routing chain=prerouting connection-mark=ISP-2-conn
dst-address-list=!LOCAL-IP new-routing-mark=to-ISP-2 src-address-list=
LOCAL-IP
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat comment="masquerade hotspot network"
src-address=10.5.50.0/24
/ip route
add check-gateway=ping comment="PCC Recursive Check ISP-1" distance=1
dst-address=1.1.1.1 gateway=192.168.110.1 scope=10 target-scope=10
add check-gateway=ping comment="PCC Recursive Check ISP-2" distance=1
dst-address=1.1.1.2 gateway=192.168.20.1 scope=10 target-scope=10
add check-gateway=ping comment="PCC Routing Mark to ISP-1" distance=1
gateway=1.1.1.1 routing-table=to-ISP-1 scope=30 target-scope=30
add check-gateway=ping comment="PCC Routing Mark to ISP-2" distance=1
gateway=1.1.1.2 routing-table=to-ISP-2 scope=30 target-scope=30
add check-gateway=ping comment="PCC Default Route to ISP-1" distance=1
gateway=1.1.1.1 routing-table=main scope=30 target-scope=30
add check-gateway=ping comment="PCC Default Route to ISP-2" distance=2
gateway=1.1.1.2 routing-table=main scope=30 target-scope=30
/system clock
set time-zone-name=Asia/Makassar
/system routerboard settings
set enter-setup-on=delete-key
