Community discussions

MUM Europe 2020
 
Einaras
just joined
Topic Author
Posts: 9
Joined: Sun Oct 14, 2012 12:36 pm

How to block or identify connection to certain IP

Sun Oct 14, 2012 12:57 pm

Hi,
I have a problem in my network with downandup virus, aka conficker. My ISP told me IP's to which is going the downandup virus connections. How can I identify PC which is doing that in my network. I have cought in on Torch, but this just shows my internal IP, not that which makes connections from inside.
Maybe some suggestions? Thanks for the answers.
You do not have the required permissions to view the files attached to this post.
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: How to block or identify connection to certain IP

Tue Oct 16, 2012 12:09 pm

/ip firewall mangle
add action=add-dst-to-address-list address-list=observed-ips \
address-list-timeout=0s chain=prerouting disabled=no dst-address=\
149.20.56.32

this should add to address list observed-ips all ips that try to connect to 149.20.56.32
 
Einaras
just joined
Topic Author
Posts: 9
Joined: Sun Oct 14, 2012 12:36 pm

Re: How to block or identify connection to certain IP

Tue Oct 16, 2012 6:36 pm

Thanks, but where that IP list should come up? In which section?
THanks again.
You do not have the required permissions to view the files attached to this post.
 
Einaras
just joined
Topic Author
Posts: 9
Joined: Sun Oct 14, 2012 12:36 pm

Re: How to block or identify connection to certain IP

Tue Oct 16, 2012 6:39 pm

Maybe I can't find observed-ips in address list cause there are no packets sent, ant the list isn''t created.
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: How to block or identify connection to certain IP

Tue Oct 16, 2012 7:13 pm

Instead of running torch on your WAN port, run it on the LAN. By watching the WAN you see the traffic after it has already gone through NAT. You'll have to change the public IP to the DST. IP address instead of source like what you currently have.
 
Einaras
just joined
Topic Author
Posts: 9
Joined: Sun Oct 14, 2012 12:36 pm

Re: How to block or identify connection to certain IP

Tue Oct 16, 2012 8:02 pm

But when I run torch on LAN, it shows connections to 192.168.0.1, but not to the certain IP.
 
Einaras
just joined
Topic Author
Posts: 9
Joined: Sun Oct 14, 2012 12:36 pm

Re: How to block or identify connection to certain IP

Tue Oct 16, 2012 9:18 pm

I cought it, but where can I see the LAN IP which send packet to that IP?
You do not have the required permissions to view the files attached to this post.
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: How to block or identify connection to certain IP

Wed Oct 17, 2012 10:54 am

my mistake
change the rule to action=add-src-to-address-list
 
Einaras
just joined
Topic Author
Posts: 9
Joined: Sun Oct 14, 2012 12:36 pm

Re: How to block or identify connection to certain IP

Wed Oct 17, 2012 1:14 pm

Thanks, cought the infected IP.
 
Einaras
just joined
Topic Author
Posts: 9
Joined: Sun Oct 14, 2012 12:36 pm

Re: How to block or identify connection to certain IP

Thu Oct 18, 2012 1:40 pm

And one more question, how to block all trafic for the observed-ips list, that they could communicate in LAN, but couldn't go to wan.
Thanks alot.
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: How to block or identify connection to certain IP

Fri Oct 19, 2012 11:12 am

/ip firewall filter add chain=forward src-address-list=observed-ips action=drop
trafic from lan to lan does not pass through router

Who is online

Users browsing this forum: Majestic-12 [Bot] and 59 guests