reverse proxy attack

Ticoti · May 16, 2016, 11:30am

Hi guys! I’ve been running a RB2011 with 6.35 for months without issues. Great machine!!!
Suddently, I’ve noticed high CPU use, Out f Memory, hundred of undesired connections…

All this dissapears when I close the input chain for 8080 port (reverse webproxy).This has been working for months per-ferct-ly.
Folliwing this classic instructions (http://wiki.mikrotik.com/wiki/Multiple_Web_Servers ), I did set up a reverse proxy, but it didn’t worked until the 8080 port was open in the input chain.
Now I’m receving lots of requests direct to the 8080 port. My reverse proxy is populated with allow&denys.

What I’m missing? Is necessary to allow 8080 in the input chain?
Thank you in advance.

jarda · May 16, 2016, 12:15pm

You should keep it closed against wan interfaces at least.

Ticoti · May 16, 2016, 12:21pm

Hi Jarda, thanks for your reply. I have a dst-nat redirecting port 80 requests on WAN to 8080, but the reverse proxy does not work until the 8080 port is open on WAN interface with input chain (!)

Sob · May 16, 2016, 1:36pm

You can block direct connections:

/ip firewall filter
add chain=input protocol=tcp dst-port=8080 connection-nat-state=!dstnat action=reject reject-with=tcp-reset

ZeroByte · May 16, 2016, 3:18pm

You need to make sure that your proxy rules block requests for any sites that you’re not offering locally.
Probably what’s happened is that your router will happily proxy requests for any arbitrary site on the web, and now the bad guys have you in their list of open proxies. Test this by going to some computer outside your network, and configuring it to use your public IP as a proxy. If you can surf the web, then your proxy is open.

The CPU load is because lots of people are out there on the Internet using your IP address to hide their true origin. (wasting your bandwidth and CPU)

macgaiver · May 16, 2016, 3:42pm

you need to restrict only all connection-state=new packets from WAN interface - connections that are initiated from outside.

ZeroByte · May 16, 2016, 3:44pm

He’s using it as an inverse proxy, so its functionality requires that new connections from the WAN be accepted.
What he needs to do is restrict the configuration of the proxy so that it denies all requests for non-local URLs.

Ticoti · May 16, 2016, 9:11pm

Solved!
The answer by Sob worked inmediatly. Thanks to all for your time.
It’s impressive the power of RouterOS+its community.

ZeroByte · May 16, 2016, 11:26pm

I wish PMs were still active here - While this worked from blocking port 8080, I strongly suspect that anyone setting a browser to use port 80 as the proxy port and your public IP would still get proxy service. Sob’s rule basically blocks direct connections to the proxy’s port, but dstnat will map 80->8080, and the block rule won’t block that, so if the queries being sent by the remote party are still allowed to be any website, then this solution has only moved the problem from port 8080 to port 80.

You may want to go to a WiFi hotspot somewhere, and test this theory.

Sob · May 16, 2016, 11:56pm

Original post said:

So my understanding was that correct access rules are set, as suggested by wiki article. But of course it’s good idea to carefully check it again.