Security Help: MT being used for DoS attack

Good evening MT forum leets!

So decided to grab a RB751 to teach myself the ins and outs of RouterOS and the RouterBOARD and broaden my knowledge, *agem! i’m a student thus cannot afford the MTCNA course yet

I discovered my internet (bridged to modem) being very slow at approx. 8PM GMT+2.. logged onto my router and checked my logs and wow my ISP keeps disconnecting me.. checked the terminal if maybe there is messages there.. nothing, THEN! IP → Firewall connections and WTF!

about 4000 entries sourcing from varies IP addresses and going to an Information Technology website in Thailand??.. I googled the IP address so great! someone is using my router and currently flooding the web server!.. so I did a screen shot of the connections, disconnected the PPPOE connection, removed the trunk links to my switches so only admin local IP, reconnected the connection and straight away there she goes again, I did not look at the MT routing table because I quickly disconnected the router; reset and imported my last exported config file and with a new IP address from ISP everything seems normal now.. now I really dont know if they added my router as a route or default gateway or what I dont know.. the root account is not admin but another name with 32 character password containing letters, numbers etc. All service ports are disabled except winbox which listens on my local subnet range. I did add extra stuff like drop telnet, drop winbox and drop DNS poisoning from public. I did add accept TCP and UDP after reading the one blog as my younger brother could not find Dota 2 servers nor could I download a torrent of a Linux Distro, accepting these 2 allowed it to happen - utorrent has the uPNP enabled and adds the DSTNAT rule automatically


Heres my firewall export

/ip firewall filter
add action=accept chain=input comment=“Accept PING” disabled=no protocol=icmp
add action=accept chain=input comment=“Accept Established Input”
connection-state=established disabled=no in-interface=mweb
add action=accept chain=input comment=“Accept Related Input”
connection-state=related disabled=no in-interface=mweb
add action=log chain=input comment=“Log Web Winbox Attempt” disabled=no
dst-port=8291 in-interface=mweb log-prefix=“Web Winbox Attempt” protocol=
tcp
add action=drop chain=input comment=“Drop Winbox from Internet” disabled=no
dst-port=8291 in-interface=mweb protocol=tcp
add action=log chain=input comment=“Log Web DNS Attempt” disabled=no
dst-port=53 in-interface=mweb log-prefix=“Web DNS Attempt” protocol=tcp
add action=drop chain=input comment=“Drop DNS from Internet” disabled=no
dst-port=53 in-interface=mweb protocol=tcp
add action=log chain=input comment=“Log Web Telnet Attempt” disabled=no
dst-port=23 in-interface=mweb log-prefix=“Web Telnet Attempt” protocol=
tcp
add action=drop chain=input comment=“Drop Telnet from MWEB” disabled=no
dst-port=23 in-interface=mweb protocol=tcp
add action=accept chain=input comment=“Accept TCP input” disabled=no
protocol=tcp
add action=accept chain=input comment=“Accept UDP input” disabled=no
protocol=udp
add action=log chain=input comment=“Log Invalid Input” connection-state=
invalid disabled=no in-interface=mweb log-prefix=INVALID
add action=drop chain=input comment=“Drop All Invalid to Router”
connection-state=invalid disabled=no in-interface=mweb
add action=accept chain=forward comment=“Accept Established Forward”
connection-state=established disabled=no in-interface=mweb
add action=accept chain=forward comment=“Accept Related Forward”
connection-state=related disabled=no in-interface=mweb
add action=accept chain=forward comment=“Accept LAN forward” disabled=no
in-interface=LAN out-interface=LAN
add action=accept chain=forward disabled=yes protocol=udp
add action=log chain=forward disabled=yes log-prefix=INVALID protocol=udp
add action=drop chain=forward connection-state=invalid disabled=no
in-interface=mweb
/ip firewall nat
add action=masquerade chain=srcnat comment=“NAT going out to public”
disabled=no out-interface=mweb
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=yes

I have looked at firewall info on the internet like “securing new routerOS” and watched the Greg Sowell videos.. if there is any resources you have please share could you share with me

I really appreciate all your help

Chances are you had your web proxy turned on, and with these two rules, you had it open to the world.

add action=accept chain=input comment="Accept TCP input" disabled=no \
protocol=tcp
add action=accept chain=input comment="Accept UDP input" disabled=no \
protocol=udp

That means anything not more specific dropping something further up that would be TCP or UDP going to the router would be accepted. I don’t see a default drop all rule either, so that could cause problems. A firewall that will meet %95 of anything that you would need to do looks like this:

/ip firewall filter
add chain=input comment="Accept established connections" connection-state=established action=accept
add chain=input comment="Accept related connections" connection-state=related action=accept
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Accept everything from known IP Addresses" src-address-list=known action=accept
add chain=input comment="Accept everything from LAN" in-interface=<LAN> action=accept
add chain=input comment="Drop everything else" action=drop
add chain=forward comment="Accept restablished connections" connection-state=established action=accept
add chain=forward comment="Accept related connections" connection-state=related action=accept
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add chain=forward comment="Allow the LAN connect to the internet" connection-state=new in-interface=<LAN> out-interface=<WAN> action=accept
add action=drop chain=forward comment="Drop Everything else"

Anything that you want to specifically allow on the input chain or forward chain needs to be explicitly allowed before the drop everything else rules.

Thanks for the help feklar!

My web proxy was off .. The part allowing tcp and udp actually came from a blog with tons of MT stuff il add those rules and sit today seeing if I need to forward any ports for programs

Just a question: for the rule like drop and accept establish ect why can’t you just mainly put it on the WAN in-interface? Like only apply those rules on the in-interface? Or just use it like that?

Thanks for you help!

You can apply it just to the WAN if desired for the input chain, it’s just more of a security mind set. It’s safer to deny/drop everything and just accept what you specifically want/need. Hence why the known IP address list, and the LAN interface.

Hi again Feklar

I have done exactually as you said and added the SYN drop on rule thats on one of the wiki pages and again the same thing just happened right now as in the screen shot could you assist me further please?

If it’s happening again, chances are it’s a work station that is internal to the network. The firewall rules would prevent someone from the outside using the router for anything. However internal users have unrestricted access to the internet. Try running torch on the LAN interface and see what IP address is making all of the outbound connections would be the best course of action.

Great thanks very much!

Will definitely give it a bash and see and will report back what I find