I’m using Mikrotik v5.6 with Linux cache server. I had notice my local area / pppoe users have infected computer with Trojans/Virus’s and their computers continually flooding and attacks to my Linux box, so on browsing goes very slow. So i want to block all virus ports. Anyone can post script or firewall .
How can i block??
help
There are no defined ‘virus ports’. You need to provide more information on the traffic before anyone can help you. Malware, a virus, depending on the particular sample can use any ports or protocols the author desires.
It’s also helpful if you would provide a reasonably sized packet capture, a few hundred packets or so, of that traffic as it’s common enough to find something unique about it that can be used to filter it.
What would help some is if you ran torch on the interface with protocol and port included and a timeout of a minute or so. You can block out parts of your addresses, enough so they can be pointed out without exact IPs, but leave the ports visible. It could be something as simple as spam bots. If you see a lot of port 25 activity that’s probably the case. You can tag that traffic and rate limit it for home users normally, a business or ‘power user’ may want to run their own email server with more traffic volume but you can deal with that on a case by case basis.
First analyze what is going on your networking, TORCH can be a good friend in this case 
see what specific traffic is hitting your router in rough manner, for example it could be famous blaster or other worms using 135 or 445 or 25 port. Just block those ports.
The best approach is to allow only related traffic and block all other traffic. OR you can just block the famous virus ports available in this post. http://wiki.mikrotik.com/wiki/Securing_your_router
Good point to start is our demo2 router. Login to demo2.mt.lv (login demo without password), you will find filter chain=viruses, export it and use on your router.
Add additional ports.
This approach blocks only known viruses ports, but viruses can use “good” ports as well.
I’m not a fan of just blocking ports to people just because it could be used by malware. If you follow that mentality you’ll end up blocking legitimate port users. I’ve seen a lot of malware use port 80, you going to block that?
If there is a signature or unique property that can be used to target the traffic then that needs to be used. Most of the current malware samples are fairly agile and adaptive. If you block a port, then it will use a different port.
If you have something unique about the traffic though you can tag the traffic and limit it. That will mitigate the effect on your network and will prevent more advanced malware types from just switching to a new port. It’s a good practice to try to implement things as close to the source as possible to reduce the impact on your network.
Arbitrarily blocking ports as a service provider is an amateur’s solution. That’s not to say you can’t monitor that port number, classify it as possibly malicious and then do further checking to see if it actually is malicious. If you put something like snort on your network and mirror the traffic to it that will tell you based on signatures if it’s a known malicious signature.
No Bridge. No ethernet. No Wlan in the demo.
???
I’ve monitor my infected users by using touch tool.. the result is in given attached screen shot.
Please see the screen shot and suggest me what to do?
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment=“Drop Messenger Worm” disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=444-445 protocol=tcp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=444-445 protocol=udp
this helps …
As I said before this type of arbitrary port blocking is an amateur’s solution. Target specific behavior not ports. I know I said arbitrary filtering is generally bad practice but what you have is a worm actively attacking other machines, not something like spam. If it’s an active attack filter it to protect users on the other end. It would be something like this.
/ip firewall mangle
add action=add-src-to-address-list address-list=Worm-Infected-p445 address-list-timeout=1h chain=prerouting connection-state=new disabled=no dst-port=445 limit=5,10 protocol=tcp
/ip firewall filter
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
That way legitimate use isn’t blocked but something like a worm sending out mass amounts will be detected and stopped. You may have to play with the rates a little as I don’t have traffic to test on, but that’s a much more elegant solution than blocking a bunch of ports for all users. Yes, this could be done with a rate specific firewall rule, but this gives you a nice list of user IPs that need to clean up their machines.
It’s best to try and filter the traffic as close to the source of it as you can get. It keeps such things from taking up bandwidth on your links.
I really appreciate your advice that do not block ports and use worms limit.
I’ll apply the firewall rules then post the result.
But before I apply the rule, I have a question!! as your define limit in mangle rule, will you please tell me, this limit will work for a single user or work for entire network users??
also shortly brief this “limit=5,10” What it do for and what it mean?
Along with the other rules it means 5 packets per second with a burst of 10 specific to new connections. The mangle rule will put addresses on a list when it exceeds that limit. You can just use that rule and tweak it until you’re satisfied with what it detects and then you can apply the firewall one.
I have found some IP’s you can see in screen shot.
now which rule i should apply for them?
Thanks & I must appreciate your reply…
hi like your rule for viruses just want to know, do i still have to keep my old viruses rule as shown below in blue or do i just leave as is & just add your rule by as shown in red
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment=“Drop Messenger Worm” disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=444-445 protocol=tcp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=444-445 protocol=udp
/ip firewall mangle
add action=add-src-to-address-list address-list=Worm-Infected-p445 address-list-timeout=1h chain=prerouting connection-state=new disabled=no dst-port=445 limit=5,10 protocol=tcp
/ip firewall filter
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
I think you don’t need to keep [blue code] after applying [red] one..
am i right MCT?
Correct, you don’t need the old ones anymore, at least for port 445.
HI MCT,
Your advice is fine. I have not tried it but is worth thinking over. However I had a few queries. The mangle u showed is for “tcp” only but we know that UDP ports are also vulnerable.
Also, after the IP’s have been identified as in asad’s list in the picture 4444.jpg does it only identify the IP’s or drop the worms spreading from the IP’s.
Is there a similar method to drop torrent users. or torrent usage for specific IP addresses. or torrent usage during specific times.
Your help would be really appreciated,
Thanks
There’s nothing stopping you from making a duplicate rule for UDP. I was just specifically targeting the traffic that was causing problems.
The mangle rule identifies and then the firewall rule drops the traffic from detected IPs.
It’s certainly possible to detect torrents based on traffic behavior. A normal user transferring data will usually be on one of the main service ports like FTP, HTTP, etc. Torrent clients tend to use high numbered ports. If you see a lot of data on ports above 6000 and multiple connections then it’s a good bet that’s torrent traffic.
I was actually looking at the possibility of using L7 detection on tracker file structure when they’re downloaded. If a tracker file is downloaded then its reasonable to assume someone is using torrents and add them to a list that takes actions on high level port activity such as throttling and/or dropping the QoS level.
Hi MCT
thanks for replying to virus question i asked
i want to ask if you could help me out with some stuff
i have 433uah bored, running adsl, my pc, my proxy, etc…
my proble is my proxy, firewall, mangle, queue rules etc… does not follow on my clients pc’s
all rules ive set out falls on my master lan which is my pc, where i work from
if can help me out thanks
Dear MCT,
I came here with my new problem, i hope you’ll help me to solve it as you’ve done before.
I am attaching the infected user screen shot, I’m using firewall rules as you suggest me before but my one of user continually spamming and main thing i have noticed that i gave this user 64k uplink in queue but he’s still spamming on 1.5mb uplink.. why its happening?? does my firewall not working or what else??
Please find out a way for me…
thanks
best regards
50.50.50.62 has some virus - just find’em and punish’em!
p.s. if you see this in Torch - it doesn’t mean that it’s not blocked by Firewall filter