Random Port Attack

RouterOS General
1

Hello,

Very frequently I am getting attacked by some attackers with random port. It causes to make jam into my network.

If anyone have good solution to protect from the attack, please share here.

Here, 103.239.5.32/27 is my routing IP block.


2

the connection is from you to remote host (from China).

3

Are you running my BlackList? It will help protect you from many attacks.

If this is a DDoS attack, and you have a dynamic IP, the simple solution is to change your MAC address on the WAN port and reboot the modem to get a new IP address.

http://forum.mikrotik.com/t/blacklist-filter-update-script/89817/1

4

Also, consider adding a RAW drop rule to drop the subnet that the attack is coming from.

5

Actually attacks are not intended from specific prefix if varies from time to time !
Capture.JPG

6

My end router is RB2011UiAS, to run your blacklist script will hamper processing of my router

How could I change the MAC address of WAN port?

7

look number of the port:
/interface ethernet> print
then set new mac:
/interface ethernet> set 4 mac-address=00:11:22:33:44:55

8

Changed the mac address of WAN port but still getting attack from some Real IPs.

9

did you reconnect to get new ip?

10

Blocking IPs from forward chain but not actually blocking packets but also capturing packets!

How could I do permanent block of attacking packets!

11

What interface is “ether2”? LAN or WAN? Because if it’s LAN and that’s where your 103.239.5.32/27 subnet is, then first reply was correct. No one is attacking you, it’s your devices trying to connect outside.

12

Yes. ether1 is WAN and I have pointed it with a local IP (172.20.104.62) and the routed IP is used on ether2 103.239.5.32/27.

Actually my devices should be inactive. How could I stop the automatic connect with remote IPs.

13

You should inspect your devices. If you watch ether2 (where they are connected to) and see zero tx rate (send) and non-zero rx rate (receive), it’s traffic from your devices to internet, not the other way around. You can block it, but it’s no solution. You should be more interested in why your devices send this traffic, and what other unexpected things they might be doing.

14

All IPs are placed into my camera. Then packets are unexpected that I am observing in LAN.

Is there any prevention?

15

You have a problem. Have you ever heard about IP cameras with remotely exploitable vulnerabilities? That’s what you have and now they are most likely part of someone’s botnet. I can’t say that for sure, but I could send you some pictures from your factory that you’d recognize. :wink: So your cameras are vulnerable, this part is for sure.

I don’t know what else you have in this network, but if it’s just cameras, I suggest to define a list of trusted addresses for outside access (if you need it):

/ip firewall address-list
add address=<IP address 1> list=Trusted
add address=<IP address 2> list=Trusted

And then only allow those and block everything else, i.e. connections from internet to cameras from other addresses, and connections from cameras to internet:

/ip firewall filter
add action=accept chain=forward comment="allow established and related connections" connection-state=established,related
add action=drop chain=forward comment="drop invalid packets" connection-state=invalid
add action=accept chain=forward comment="allow acces to cameras from trusted addresses" dst-address=103.239.5.32/27 \
    src-address-list=Trusted
add action=drop chain=forward comment="block everything else" disabled=yes

Restart router to make sure that no already established connections stay open. If you have something else that should be allowed in or out, add needed rules before the last drop rule. It’s intentionally disabled, enable it when you’re sure that you have everything set correctly.

All this is just quick hotfix, next step is to really fix cameras, i.e. find new firmware for them (if it exists), upgrade them all and change password for all, because you can’t know how many unauthorized people have it already.

And don’t forget to also upgrade your router, because it’s vulnerable too.

16

You probably need to factory reset and re-flash all your cameras if they’ve been hacked. You are essentially a DDoS source right now and it will not be long before your upstream ISP terminates your service if you don’t stop the abuse.