some of mentioned ports are known to be used for hacking purposes by infected devices. For example:
- port 22 (SSH) can be misused for
reverse tunneling.
- port 80 is very common for DDoS because nobody filters it. I recently saw an issue where home user had infected device, which was opening thousands of HTTP/TCP connections to Alibaba but instead of crashing their server, it crashed ISPs CCR1072. (bug in garbage collector when NAT has setting
and amount of connections exceeds allowed range)
- port 53 can be used for DNS DDoS - again very common
Sounds like you are trying to provide IPS functionality on pure RouterOS. Maybe it would be easier to install proper IPS appliance and let it filter your traffic?
I am aware of those issues, but I do have to start from somewhere. Also, budget is a bit limited here. I do have a 3011 router, but I don't have other appliances.
My first step would be to filter out anything that is not explicitly needed, then focus on what is left.
Each client is protected by BitDefender AV/Firewall Enterprise solution (rather different than consumer one), which performs really well.
The firewall works by installing additional (invisible) passthrough network device over which all traffic traverses, so it reliably catch everything and also filters on HTTP traffic, allowing blocking of content, systemwide (PCs). For business agents I block:
- hate, violence, illegal drugs, racism
So, if I reduce the attack surface portwise, it should be relatively easy to find a rogue device in a network. - I had a situation last year when entire network was bogged down by one user forgetting to turn off P2P program when he got to work. We had 10 Mbit/s link at that point. Now it is 40, and getting to 100 later this year.
I also intend to introduce Squid proxy and pi-hole DNS later on. Squid would serve computer network and Pi-hole entire network. - I have three WiFi networks: normal (part of LAN), secluded wifi for users, guest wifi.