Page 1 of 1

How to block or identify connection to certain IP

Posted: Sun Oct 14, 2012 12:57 pm
by Einaras
Hi,
I have a problem in my network with downandup virus, aka conficker. My ISP told me IP's to which is going the downandup virus connections. How can I identify PC which is doing that in my network. I have cought in on Torch, but this just shows my internal IP, not that which makes connections from inside.
Maybe some suggestions? Thanks for the answers.

Re: How to block or identify connection to certain IP

Posted: Tue Oct 16, 2012 12:09 pm
by deejayq
/ip firewall mangle
add action=add-dst-to-address-list address-list=observed-ips \
address-list-timeout=0s chain=prerouting disabled=no dst-address=\
149.20.56.32

this should add to address list observed-ips all ips that try to connect to 149.20.56.32

Re: How to block or identify connection to certain IP

Posted: Tue Oct 16, 2012 6:36 pm
by Einaras
Thanks, but where that IP list should come up? In which section?
THanks again.

Re: How to block or identify connection to certain IP

Posted: Tue Oct 16, 2012 6:39 pm
by Einaras
Maybe I can't find observed-ips in address list cause there are no packets sent, ant the list isn''t created.

Re: How to block or identify connection to certain IP

Posted: Tue Oct 16, 2012 7:13 pm
by Feklar
Instead of running torch on your WAN port, run it on the LAN. By watching the WAN you see the traffic after it has already gone through NAT. You'll have to change the public IP to the DST. IP address instead of source like what you currently have.

Re: How to block or identify connection to certain IP

Posted: Tue Oct 16, 2012 8:02 pm
by Einaras
But when I run torch on LAN, it shows connections to 192.168.0.1, but not to the certain IP.

Re: How to block or identify connection to certain IP

Posted: Tue Oct 16, 2012 9:18 pm
by Einaras
I cought it, but where can I see the LAN IP which send packet to that IP?

Re: How to block or identify connection to certain IP

Posted: Wed Oct 17, 2012 10:54 am
by deejayq
my mistake
change the rule to action=add-src-to-address-list

Re: How to block or identify connection to certain IP

Posted: Wed Oct 17, 2012 1:14 pm
by Einaras
Thanks, cought the infected IP.

Re: How to block or identify connection to certain IP

Posted: Thu Oct 18, 2012 1:40 pm
by Einaras
And one more question, how to block all trafic for the observed-ips list, that they could communicate in LAN, but couldn't go to wan.
Thanks alot.

Re: How to block or identify connection to certain IP

Posted: Fri Oct 19, 2012 11:12 am
by deejayq
/ip firewall filter add chain=forward src-address-list=observed-ips action=drop
trafic from lan to lan does not pass through router