Community discussions

MikroTik App
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 6:53 am

I received 2 emails in 2 days.

I consulted my friends and they said, I have to add some firewall rules to my microtik to avoid this issue.
I use google DNS.

So, what rules to add to microtik ?
You do not have the required permissions to view the files attached to this post.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 8:40 am

Default firewall configuration would be sufficient.

but basically you should restrict connection-state=new in-interface=Public connections, all of them (except ones that you need)
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 8:43 am

Default firewall configuration would be sufficient.

but basically you should restrict connection-state=new in-interface=Public connections, all of them (except ones that you need)
Sorry, Im new to microtik and I dont want to touch anything inside winbox, unless I know, what Im doing.
Can you exactly point what to add ?
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 9:03 am

Default firewall configuration would be sufficient.

but basically you should restrict connection-state=new in-interface=Public connections, all of them (except ones that you need)

Add this to terminal ,

/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether8 protocol=udp ??
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 9:08 am

....but somehow you did delete the default configuration...

If your ip firewall filter input is clear you shoud replace ether1-gateway with your interface name and paste these rules
/ip firewall filter
      add chain=input action=accept protocol=icmp comment="default configuration"
      add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration"
      add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration"
      add chain=input action=drop in-interface=ether1-gateway comment="default configuration"
This will restrict all connections from outside,except ping.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 9:08 am

But this will drop the DNS requests completely.
I think, we need to add one more rule to redirect the requests ?

Or did I miss something ?
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 9:16 am

....but somehow you did delete the default configuration...

If your ip firewall filter input is clear you shoud replace ether1-gateway with your interface name and paste these rules
/ip firewall filter
      add chain=input action=accept protocol=icmp comment="default configuration"
      add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration"
      add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration"
      add chain=input action=drop in-interface=ether1-gateway comment="default configuration"
This will restrict all connections from outside,except ping.


I think, we only need to stop DNS requests at WAN interface, and make sure, people use my defined DNS only.
is that right ?
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 10:01 am

But this will drop the DNS requests completely.
I think, we need to add one more rule to redirect the requests ?

Or did I miss something ?
Nop, it will only drop new requests, don't forget that your requests will be initiated by router itself so replies to those will return as connection-state=established
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 10:04 am

But this will drop the DNS requests completely.
I think, we need to add one more rule to redirect the requests ?

Or did I miss something ?
Nop, it will only drop new requests, don't forget that your requests will be initiated by router itself so replies to those will return as connection-state=established
Then Im confused what exactly to add to stop this behavior in future.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 10:14 am

Then Im confused what exactly to add to stop this behavior in future.
Macgaiver already posted what you need to add:
http://forum.mikrotik.com/viewtopic.php ... 50#p506950

Those rules allow established connections from LAN and block all requests from WAN
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 10:18 am

Then Im confused what exactly to add to stop this behavior in future.
Macgaiver already posted what you need to add:
http://forum.mikrotik.com/viewtopic.php ... 50#p506950

Those rules allow established connections from LAN and block all requests from WAN
Okay my WAN in NAS Router (Microtik CCR1009) is ether8.


So, I need to paste this,
/ip firewall filter
add chain=input action=accept protocol=icmp comment="default configuration"
add chain=input action=accept connection-state=established in-interface=ether8 comment="default configuration"
add chain=input action=accept connection-state=related in-interface=ether8 comment="default configuration"
add chain=input action=drop in-interface=ether8 comment="default configuration"
Is that correct ?

The network is live with 320 online users.
Sure, this wont break the connection ?
I will paste the code to terminal then.
Im 500 miles away from my core office.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 11:35 am

User traffics goes through forward - this is input, it affects only traffic to router itself.

I really suggest to get some training or hire some consultant.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 11:37 am

User traffics goes through forward - this is input, it affects only traffic to router itself.

I really suggest to get some training or hire some consultant.
yes, already enrolled the Microtik training in our country.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Tue Nov 10, 2015 12:16 pm

Okay added.
You do not have the required permissions to view the files attached to this post.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Thu Nov 12, 2015 12:58 pm

One issue came after this.
The winbox and web both are not accessible from the outside network after this rule.

So, I had to switch off the drop firewall rule.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Thu Nov 12, 2015 1:03 pm

One issue came after this.
The winbox and web both are not accessible from the outside network after this rule.

So, I had to switch off the drop firewall rule.
you have to add accept rules specifically for winbox (protocol=tcp dst-port=8291) i do not suggest to allow access to web config from outside, use winbox.

Place that rule before the last drop
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Thu Nov 12, 2015 1:36 pm

One issue came after this.
The winbox and web both are not accessible from the outside network after this rule.

So, I had to switch off the drop firewall rule.
you have to add accept rules specifically for winbox (protocol=tcp dst-port=8291) i do not suggest to allow access to web config from outside, use winbox.

Place that rule before the last drop

So first remove the drop firewall and then run this,
add chain=input action=accept protocol=tcp dst-port=8291 in-interface=ether8 comment="default configuration"
add chain=input action=drop in-interface=ether8 comment="default configuration"
Correct ?
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Wed Dec 16, 2015 7:01 am

Got the email again, but its for an IP which is no where in the network, but as a block only.
You appear to be running an open recursive resolver at IP address 103.194.232.65 that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.

Please consider reconfiguring your resolver in one or more of these ways:

- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)
- To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)
You can see the IP is as a block and not even used.
Then how come ?
You do not have the required permissions to view the files attached to this post.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Wed Dec 16, 2015 11:15 am

Something is weird.

I got this email for all of my IP blocks start IP address.
Which is not used anywhere.

How is it possible ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Wed Dec 16, 2015 11:18 am

Looks like spam to me. I would ignore such emails, especially if they are not true.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Wed Dec 16, 2015 11:20 am

Looks like spam to me. I would ignore such emails, especially if they are not true.
Dont think so!
As it had completely stopped and started al again and its for the IP which are the gateway IP of the block.
So, gateway IP is used no where in the network at all.

You can see the emails are authentic,
Means something is happening for sure.


See attached.
You do not have the required permissions to view the files attached to this post.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Wed Dec 16, 2015 1:08 pm

Looks like spam to me. I would ignore such emails, especially if they are not true.

Looks I have confused the rules completely.
Can you paste the exact code so I can paste it to terminal ?

I dont think the above code is working, because when I torch wan port, I see a lot of active connections for port 53, which is dangerous, I guess.
You do not have the required permissions to view the files attached to this post.
 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Wed Dec 16, 2015 1:18 pm

 
soamz
Member
Member
Topic Author
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Wed Dec 16, 2015 1:38 pm

I added this two :
/ip firewall filter
add chain=input in-interface=ether8 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether8 protocol=tcp dst-port=53 action=drop


/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether8 action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether8 action=drop

But when I torch ether8, I still get many active connections on port 53.
Why is it so ?
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Wed Dec 16, 2015 3:34 pm

Who is online

Users browsing this forum: Batterio, DanMos79, intania and 88 guests