UDP attack

Sl33py · December 7, 2016, 1:12pm

Hello
I have all these connections and cant seem to stop them see attached pic

my firewall rules

/ip firewall address-list
add address=196.0.0.0/8 list=SA_Sub
add address=41.0.0.0/8 list=SA_Sub
add address=165.0.0.0/8 list=SA_Sub
add address=197.0.0.0/8 list=SA_Sub
add address=129.0.0.0/8 list=SA_Sub
add address=105.0.0.0/8 list=SA_Sub
add address=10.0.0.0/24 list=SA_Sub
add address=169.0.0.0/8 list=SA_Sub
add address=154.0.0.0/8 list=SA_Sub
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=accept chain=input comment=“default configuration” protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=“”
add action=accept chain=input comment=“default configuration” connection-state=“”
add action=drop chain=input comment=“default configuration” in-interface=ether1-gateway
add action=accept chain=forward comment=“default configuration” connection-state=established
add action=accept chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration” connection-state=invalid
add action=drop chain=input in-interface=pppoe-out1 port=53 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=6881 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=1270 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=1267 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=1253 protocol=udp
add action=reject chain=input in-interface=pppoe-out1 port=53 protocol=tcp reject-with=icmp-network-unreachable
add action=accept chain=forward comment=“Allow access from SA_Sub List” in-interface=pppoe-out1 protocol=tcp src-address-list=SA_Sub
add action=drop chain=forward comment=“Block access not from SA_Sub List” in-interface=pppoe-out1 protocol=tcp src-address-list=!SA_Sub

BartoszP · December 7, 2016, 2:20pm

You can do nothing except asking your ISP for dropping all conections from (any IP):6881 to your (IP address):1500 and (IP address):1270

Do you use Microsoft Operations Manager ? Seems that port 1270 is used by this soft. Port 1500 is for VLSI License Manager.

2frogs · December 7, 2016, 2:24pm

Your 3rd and 4th filter rules are accepting all connections on input chain from all interfaces and they are higher in order than your drop rules. That is why your drop rules don’t work.

I’m guessing at one time those 2 rules had connection-state= established and = related respectively. Those can now be combined to = established, related and set in-interface=ppoe-out1. And then remove other:

/ip firewall filter add chain=input connection-state=established,related in-interface=ppoe-out1 action=accept

R1CH · December 7, 2016, 2:41pm

1072bps hardly constitutes an attack. Looks like one of your users is using a bittorrent client with UDP support, 6881 is the default port.

Murmaider · December 8, 2016, 4:37am

Firewall work sequential. Meaning that traffic is matched against each rule in order from top to bottom until a matching rule is found.
So if you have for example a rule to allow all traffic to the router and then after it a rule to block traffic, no matching will ever be done on the 2nd rule as the allow rule will always match first.

So you have:

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=""
add action=accept chain=input comment="default configuration" connection-state=""

There is no connection-states in that allow all input rule.

Then you have

add action=drop chain=input in-interface=pppoe-out1 port=53 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=6881 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=1270 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=1267 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=1253 protocol=udp
add action=reject chain=input in-interface=pppoe-out1 port=53 protocol=tcp reject-with=icmp-network-unreachable

The first allow all rule will be matched and these rules won’t be reached. You can confirm this by looking at your Bytes and Packets columns on your winbox firewall screen.
They will probably show zero packets.

Always try structure firewall rules as:

Explicit Allows
Explicit Drop / Rejects
Connection States
Default Drop Rule

I’ve rewritten your firewall rules, give them a try:

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface=pppoe-out1 port=6881 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=1270 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=1267 protocol=udp
add action=drop chain=input in-interface=pppoe-out1 port=1253 protocol=udp
add action=accept chain=input connection-state=established,related
add action=drop chain=input in-interface=pppoe-out1

add action=accept chain=forward comment="Allow access from SA_Sub List" in-interface=pppoe-out1 protocol=tcp src-address-list=SA_Sub
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward in-interface=pppoe-out1

Sl33py · August 19, 2017, 9:59am

Thanks for your answer, I only saw it now..
I went for a mikrotik course and have since learned how to do it correctly