vpn attacks and how to block these connections

Hi guys, my vpn server is being attacked by a /24 subnet, not just a single ip. i created a filter rule which is input, and source address is the whole subnet 92.63.194.0/24 and the action is dropped. Few hours later the same person still tries to connect with failed attempts, so i changed the action to reject with network unreachable message. He can still access the server. i would really appreciate if you can help me with blocking them!

Here you go:

http://forum.mikrotik.com/t/feature-request-blocking-a-special-kind-of-ddos/133917/15

Don’t reject because the other side is not listening. If you do that in RAW then that gives the least impact on your router.

Thanks msatter. I read your script. Correct me if im wrong the script reads the connections table and automatically puts the /24 subnet into an address list and then? you manually set a filter rule?


edit : i manually created an address list with the 92.63.194.0/24 subnet called it vpn-attack_1 :slight_smile: and added as source address list in RAW with drop action. correct? if yes, it remains to see if they try to connect again

Impossible! This means you filtering rule is not working or applied wrong.
Offcourse you will keep seeing attempts up to the Mikrotik, but should not arrive at your backend VPN server!

Your “VPN server” ? How do you reach it ? You have some DNAT-entry to it ?
Or are you talking about VPN-services on the Mikrotik itself ? Very unclear in your opening post…

This is what i get in the log file :
https://ibb.co/Gsq8cps


i mean reach it as they can still try to connect using various usernames. Im not sure what im doing wrong. there were a few other IPs in the past which attempted to login with admin/root whatever user/pass to the mikrotik and since i blocked them with filter rules they stopped. but this specific type of connections are still “reachable”. im not sure if im using the right terminology. i apologize for this!

Are you still using the VPN for other reasons ? (pptp is insecure and you should move on to something else)
These other connection perhaps where made to SSH/Winbox ports etc?
Perhaps you should post the complete config here (like other would suggest too) but without sensitive info. => /export hide-sensitive

pptp is only for a few tests. i use l2tp with ipsec. Since the blacklist configuration in address list and the RAW firewall rule i had no attacks. I believe this was the solution

Good it was fixed. Probably indeed because the pre-routing/RAW is very early after the packet arrives in your router interface.

I don’t use the connections table. Every connection on a specfic port(s) are put on list one with a timeout on it.

As soon as there more than lets 5 connection from the same subnetmask while the timeout is not past that subnet is set in list 2. List two is the list that blocks.

Adding the same unique address to list 1 is not possible. Looking for new connections for list 1 do that is in filter. Blocking happens in RAW.