Hi, i’ve experienced some very strange behaviours from my routerboard recently. It has periodically flooded my network causing the CPU of every device connected to go to the maximum which lasts a few hours each time. I’m not sure if this is caused by dual WAN or my ISP trying to prevent users from using routers (its a student ISP), but when it happens and when i disconnect the routers WAN cables the problem goes away. I cant use the sniffer to get information because everytime i use it the router reboots. How do i prevent a flood? What firewall rules should i add to defend against this? Its very strange because LAN gets flooded and not WAN however the router floods on all interfaces. I am pretty sure my ISP does do port scanning and send packets to prevent people from using routers by causing a flood on the LAN and WAN side which seems to be either broadcast or multicast packets. Using the switch to limit packets does help but i would prefer to make a firewall rule to prevent this on my routerboard.
Thanks
The description sounds like a fairly standard DOS attack. What are your current firewall rules?
well the standard firewall rules from the mikrotik wiki in setting up router. I’m not sure if its a DOS attack because even though the 2 networks are seperate through VLAN, the LAN side is what gets flooded and also WAN. When i disconnect WAN the problem stops however if i were to connect my PC directly there isnt any problem.
When i connect PC directly to wall theres no flood, but when i connect my PC to the VLAN of the switch for my own LAN i get flooded even if the switch is not connected to the ISP. During the time of flood the routerboards CPU usage stays at 100 and my PC’s system process takes up a whole core. I’ve isolated the problem to the routerboard probably flooding the network because of a loop (dual WAN) or because of specific packets sent by ISP to prevent people from using routers. Student ISPs dont allow routers to avoid a misconfigured router from messing up the network.
There are standard DOS attacks that use multicast etc. . If you upload your firewall rules we can comment on them.
Here are the firewall rules. Some are disable and some are used for hotspot but disabled currently. I’m also using mangle and NAT to make sure that traffic can pass even though the ISP doesnt allow routers (student ISP) but i hate not being able to use a firewall.
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=yes
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=accept chain=input comment=“default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=“default configuration”
connection-state=established disabled=no
add action=accept chain=input comment=“default configuration”
connection-state=related disabled=no
add action=accept chain=input disabled=no src-address=192.168.88.0/24
add action=drop chain=input comment=“default configuration” disabled=no
in-interface=ether1-gateway
add action=drop chain=forward content=questbasic. disabled=yes
add action=accept chain=input comment=“accept established connection packets”
connection-state=established disabled=no
add action=accept chain=input comment=“accept related connection packets”
connection-state=related disabled=no
add action=drop chain=input comment=“drop invalid packets” connection-state=
invalid disabled=no
add action=accept chain=input comment=
“Allow access to router from known network” disabled=no src-address-list=
safe
add action=drop chain=input comment=“detect and drop port scan connections”
disabled=no protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment=“suppress DoS attack” connection-limit=
3,32 disabled=no protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list
address-list-timeout=1d chain=input comment=“detect DoS attack”
connection-limit=10,32 disabled=no protocol=tcp
add action=jump chain=input comment=“jump to chain ICMP” disabled=no
jump-target=ICMP protocol=icmp
add action=jump chain=input comment=“jump to chain services” disabled=no
jump-target=services
add action=accept chain=input comment=“Allow Broadcast Traffic” disabled=no
dst-address-type=broadcast
add action=log chain=input disabled=no log-prefix=Filter:
add action=drop chain=input comment=“drop everything else” disabled=no
add action=accept chain=ICMP comment=“0:0 and limit for 5pac/s” disabled=no
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=“3:3 and limit for 5pac/s” disabled=no
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=“3:4 and limit for 5pac/s” disabled=no
icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=“8:0 and limit for 5pac/s” disabled=no
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=“11:0 and limit for 5pac/s” disabled=no
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment=“Drop everything else” disabled=no
protocol=icmp
/ip firewall mangle
add action=change-ttl chain=forward disabled=yes new-ttl=set:64 passthrough=
yes src-address=192.168.88.0/24
add action=change-ttl chain=postrouting disabled=no new-ttl=increment:1
passthrough=no
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=!192.168.88.0/24
protocol=udp src-address=192.168.88.0/24
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“default configuration” disabled=
yes out-interface=ether1-gateway src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=yes src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=yes src-address=192.168.88.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.88.2
dst-port=60 protocol=tcp to-ports=21
add action=masquerade chain=srcnat disabled=yes out-interface=unifi
src-address=192.168.88.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=110.159.246.153
dst-port=5000-16000 protocol=tcp to-addresses=192.168.88.254 to-ports=
5000-15000
add action=redirect chain=dstnat disabled=no dst-address=!192.168.88.1
protocol=tcp src-address=192.168.88.0/24 to-ports=800
add action=redirect chain=dstnat disabled=no dst-address=!192.168.88.0/24
protocol=udp src-address=192.168.88.0/24 to-ports=800
add action=redirect chain=dstnat disabled=yes dst-address=192.168.88.0/24
protocol=tcp src-address=!192.168.88.0/24 to-ports=800
add action=masquerade chain=srcnat disabled=no dst-address=!192.168.88.0/24
src-address=192.168.88.0/24
At a very fast glance I only saw two references to the forwarding chain in those rules and one of those was a disabled rule. If those are really the only forwarding chain filters then you are wide open to the type of DOS attack I mentioned not to mention all sorts of other potential problems.
You need to have some basic rules in place in the forwarding chain:
- Accept established connections from the WAN connection to the LAN
- Accept related connections from the WAN connection to the LAN
- Allow new connections from the LAN connection to the WAN
- Reject everything else!!!
Then add other accepts above 4) on an “as needed” basis.
Thanks.
I’ve also added VLAN rules on the switch chip too. However i am not sure if i did it correctly. I want to be able to use both NAT and proxy.
basically VLAN 0 consists of switch CPU and LAN ports
VLAN 1 consists of WAN ports only.
What changes should i make to improve security as well?
I’m also using mangle in firewall to change packet TTL to hide the router since its a student ISP. At one time when they had a power outage so many routers were flooding the network with broadcasts which heated up my switch(i disconnected the noisy fan since i expect to be using 5% of total switch capacity) quite a lot but limitting broadcast packets on the switch solved it.
I find VLAN to be quite effective although this is my first time using it.