I am launching a Blacklist service for MikroTik Routers called MOAB.-- the service costs US $60 per year and payable via PayPal.

I am offering 20 users from the MikroTik community a chance to try out this service free of charge up to September 30, 2018

If you want to be part of this free trial period please contact me via email at mozerd@itexpertoncall.com -- the prerequisites.

You can learn about MOAB here

Pokornik, I am not able to respond to your request because your address has been identified as a spammer by sorbs.net

FYI, so far 8 users have subscribed to the Free Trial period that expires on September 30 2018, so only 12 spots still available.

As of today August 6, 2018 12 users have signed up for the free trial period that expires on September 30, 2018

So I have 8 remaing slots open.

If you have any Questions I will be happy to answer in THIS thread.

A number of users have contacted me via email and requested that I make the prerequisites a little clearer to under stand. I now have done that so please check the link again. and thanks to ALL for the feedback. Updated Prerequisites

Sorry but I can't help myself not to ask couple of questions:
1) Can you clear up a little bit how does user/owner of router handle security - i.e. limiting your RSC to not create new users, open ports etc? Downloading 3rd party RSC can cause unpredictable and serious issues as it can completely rule the device.
If it is really just blacklist, you can distribute it as txt/csv list of addresses. Everyone can easily create script to download and implement the list on scheduled basis. That way, every user knows exactly what the script does and there is guarantee that it will not do anything else because it is not capable of anything else.

2) I can see that you offer for example hAP ac^2 as "capable router firewall appliance". What performance impact can be expected on such device after you add those 600 million IPs into? are there some test results based on clearly defined scenario which can be replicated by everyone so we can confirm those numbers?

If it is really just blacklist, you can distribute it as txt/csv list of addresses

Then they can post it on the web, so that others don't need to pay.

But yeah, I think there should be some other way to distribute config. TR-069? Fetch?

A blocklist for MikroTik should be distributed using DNS address lists.
There are two limitations that limit that method:

- when the blocklist contains subnets, there is no efficient method to transfer them.
solution: MikroTik should lookup TXT records besides A records, and when they are valid textual subnet notation, load them.
like: IN TXT 192.168.0.0/24

- the number of DNS entries returned is limited too much. I think the limit is in the built-in DNS resolver which has a limit on reply size.
(the actual number of addresses varies depending on the length of the DNS name used to query them)

I hope MikroTik addresses these limitations so it will be easier to manage address lists on many routers.

The idea of a update list of blackholes is interesting!
Can I use updatable lists through an external BGP routing server?

The inverse principle! Works quite reliably!
https://habr.com/post/354282/

The idea of a update list of blackholes is interesting!
Can I use updatable lists through an external BGP routing server?

It is possible, but it is quite impractical because you need another step to transfer the information from the
routing table maintained by BGP to a place where you can actually use it, i.e. an address list.
Maybe another useful feature suggestion: an address-list item that refers to a routing-table name, and that
automatically gets loaded by all addresses that appear in that routing table.

Another problem is that a BGP association is always 2-way so you both need to set the address of the central
server providing the information AND in the central server YOUR IP address has to be configured. That is a
problem when your IP address is not static. This could be overcome by setting up a VPN that allows a dynamic
client address (L2TP/IPsec, SSTP, OpenVPN) but that adds yet another layer of complexity.

/watching

Interested to see feedback from those using this.

1) Can you clear up a little bit how does user/owner of router handle security - i.e. limiting your RSC to not create new users, open ports etc? Downloading 3rd party RSC can cause unpredictable and serious issues as it can completely rule the device.

If it is really just blacklist, you can distribute it as txt/csv list of addresses. Everyone can easily create script to download and implement the list on scheduled basis. That way, every user knows exactly what the script does and there is guarantee that it will not do anything else because it is not capable of anything else.

2) I can see that you offer for example hAP ac^2 as "capable router firewall appliance". What performance impact can be expected on such device after you add those 600 million IPs into? are there some test results based on clearly defined scenario which can be replicated by everyone so we can confirm those numbers?

Thanks for the excellent questions.
1) your point is very valid. Since I am not running a criminal enterprise - the subscriber to my service will need to have explicit trust that my blacklist scripts will not violate their trust. People who subscribe to my service do not want to create or manage there blacklists.
2) Currently, I have a small number of users with hAPac2 devices [and hEX], subscribing to MOAB, who - so far - are very pleased with the performance in their environments. The hAPac2 that I install/configure clearly outlines the limitations i.e, supports up to 5 users + all needed peripherals -- while the hEX that I install/configure supports 10 users and up to 20 connected devices --- I have not done any benchmarks under load -- I much prefer that my users report back to me if there are performance issues, Perhaps some will come here and provide their endorsement -- most [if not all] are very busy with their lives

MOAB is derived ffrom FireHOL, which I make clear in my advertising -- you can check it out at here

[EDIT] I did fail to mention that I do have ONE user located in Northern Europe who supports a large number of CCR's in the field who is using MOAB [for the last 2 months] all of them supporting several thousand users . I just requested that he come here and post his experiences but -- so far -- he has declined to do so and he requested that I be vague so I cannot state exactly where he is located. He could very easily run his own blacklist mechanism and is well aware of FireHOL as many others are -- he got a significant discount based on his number of routers -- he chose to subscribe and so far he seems very pleased -- no one in his group is complaining of any performance issue attributed to MOAB.

@normis:

Then they can post it on the web, so that others don't need to pay.

I was wondering who will come with this idea
Well, this is common issue for all services - to make sure that users will not share the product. In this case, it simply can't be done. If users can manage the router, then they have access to those rules and they can export it and share it. RSC can't protect it at all.
For example Snort.org have nice approach with giving some basic list of rules for free and limiting better up-to-date list for subscribed users.

Though, i still dont think it is good idea to simply block so many IP addresses. Chance of false-positive is too high and it will end up similarly to sorbs.net - easy to get in, hard to get out, legit services blocked, nobody to blame...

@mozerd:
Thanks for reply! I really appreciate it.
1) I have no doubt that your intentions are pure and you don't plan to hack your customers, however, some man-in-the-middle or even angry employee can feel different about this. We unfortunately don't live in perfect world and attacks are happening. It would be quite sad to inadvertently help attackers while you are trying to stop them, just because your script had too much access.

2) I see. If you ever get any benchmark (simple iperf test with {transmitter}--{device under test}---{receiver} layout would be great), let us know. Or - if you want - I am willing to do this and share my findings. I understand you offered free trial for local users. I am not really interested in full-blown subscription or even prolonged trial, but if it helps, I can simply dedicate one of my testing routers and try it for couple of days and then give you the trial licence back. Let me know If this sounds interesting. If yes, I will send the request via email.

Anyway, I wish you and your business all best. Hopefully, you will encounter any security issues

@mozerd:
2) I see. If you ever get any benchmark (simple iperf test with {transmitter}--{device under test}---{receiver} layout would be great), let us know. Or - if you want - I am willing to do this and share my findings. I understand you offered free trial for local users. I am not really interested in full-blown subscription or even prolonged trial, but if it helps, I can simply dedicate one of my testing routers and try it for couple of days and then give you the trial licence back. Let me know If this sounds interesting. If yes, I will send the request via email.

Yes I am interested -- please do send in your request based on the MOAB Prerequisite's -- I appreciate your participation.and look forward to the results of your testing.

Though, i still dont think it is good idea to simply block so many IP addresses. Chance of false-positive is too high and it will end up similarly to sorbs.net - easy to get in, hard to get out, legit services blocked, nobody to blame...

Of course it has zero functionality. Block some people because they appear to have bad intentions, and as a result block some legitimate users and still allow a lot of people with really bad intentions into your system because they happen to be not (yet) on the list.

However, I am interested in general mechanisms to manage large address lists under RouterOS, hence my additions to the topic.
Hopefully some method will become available that works better than importing a .rsc file. Preferably a DNS based address list
"without" limits (or more reasonable limits).

Great concept!!
Much thanks and have been using it with no issues.

When I first started out on my hex, on my own, I found some available firehol lists...... and started reading about spamhouse, dshield, malcode. country lists and other lists.
They would all pump out files to use.
Then I came accross Josh Haven..........
http://joshaven.com/resources/tricks/mi ... ress-list/
Wow, a resource that looked at some major lists (not countries though) and provided them in almost a ready to use format.

There are lots of efforts and scripts out there, so dont bash the author and try the alternatives as they may work for you.
viewtopic.php?t=104020 (dated 2016)

viewtopic.php?f=9&t=136666 (Dave is working on this one, based on an older effort and may hold some promise but does speak to the challenges of setting this up properly and it takes time and money).

In summary, if someone one wants to provide a stable, server based, blacklist for free that is tailored to ones equipment and seems to grab the best of whats available out there, then I and many others would be very grateful. (Normis, seems almost ready to volunteer, seeing as it so easy.............. )

In the meantime I will continue to use the service here that is so low cost - less than what I pay for coffee at Tim Hortons in a month. Since its not tied to a service offering that could disappear at any time (josh) and one that is more complete, and is supported by someone who is looking after many clients (responsible individual) and is not in the business of increasing their security risk (plus being Canadian lol). I am not worried about such issues. I am more concerned about a gazillion other sites to which I use for transactions and mikrotik for their next security blunder LOL.

I am also investigating another avenue, which purports to access 'closed' lists and does layer 7 programming and targets TOR nodes.
You get what you pay for though as it is also not free. Seems very good so far.
https://axiomcyber.com/shield/

FYI update -- I still have 7 slots open for the Free Trial Period that expires September 30, 2018

If you want to participate in the free trial then PLEASE review the MOAB prerequisites link and send me an email with the information requested. If you have any questions post them here. My email address is found in the first opening post of this thread.

Hi,
I finally had chance to test the service and I must say, that performance impact on hAP ac^2 was negligible.

All tests were done with iperf in ubuntu. I used TCP connection and default window sizes (512k) and always performed 2 tests - one with "-r" param for separate RX/TX testing, second with "-d" param for duplex test where RX and TX was tested at the same time.

Directly connected computers:

• TX = 914Mbps

• RX = 939Mbps

• Duplex TX = 703Mbps

• Duplex RX = 677Mbps

In following tests, TX means LAN -> NAT -> WAN , RX means WAN -> NAT -> LAN

Defconf without fasttrack:

• TX = 574Mbps

• RX = 579Mbps

• Duplex TX = 388Mbps

• Duplex RX = 376Mbps

Defconf with fasttrack:

• TX = 923Mbps

• RX = 933Mbps

• Duplex TX = 777Mbps

• Duplex RX = 620Mbps

MOAB without fasttrack:

• TX = 523Mbps

• RX = 509Mbps

• Duplex TX = 264Mbps

• Duplex RX = 331Mbps

MOAB with fasttrack:

• TX = 928Mbps

• RX = 937Mbps

• Duplex TX = 786Mbps

• Duplex RX = 586Mbps

I am aware that my computers were probably not strong enough to handle full gigabit of iperf traffic. Unfortunately, I couldn't do better.
Anyway, as you can see, hAP ac^2 handles the list really well. Especially when you have fasttrack enabled, there is literary no difference between defconf and MOAB. Without fasttrack MOAB cause approximately 50Mbit of speed reduction against defconf. This will obviously be noticeable only if your router is already bottleneck and your connection is faster than your router can handle.

Couple of other things I noticed:

• As you can read from MOAB prerequisite page, you are supposed to manually add two "drop" rules - one in Raw table, second in Filter table
  • Raw drop rule uses list of approximately 11 thousand entries
  • Filter drop rule uses list of approximately 6 thousand entries
  • Drop rules are based on interface, instead of interface-list. However, "bogon exclusion list" rule is based on interface-list=WAN. I believe it would be better to use same approach for all rules.

• Downloads are protected by HTTP-Auth, so your initial setting script contain username and password to access the data

• As I was worried earlier, the list is really distributed as RSC full of commands to add entries. This might be more optimized by distributing simple text file and parsing it directly in router. It will make downloaded file smaller and also remove possible risk from downloading malicious script

• There is some attempt to minimize downloading by firstly fetching smaller TXT files which either have some content or is empty. However, as there are no parameters submitted while downloading these "diffs" files, it simply cannot truly represent difference between already applied settings in router and current list on the server. What "diff" it really represents is pure mystery to me
  • if I manually run the downloader script again and again, my lists were downloading again and again (but they should not as I already had newest version applied)
  • I would expect the diff file to be dynamically generated based on last version downloaded by the specified username. That would obviously require some back-end with database to store info, which version was downloaded by each user last time

Finally, I would like to thank Mozerd for providing free trial so I was able to do the test.

Couple of other things I noticed:

• Downloads are protected by HTTP-Auth, so your initial setting script contain username and password to access the data

• As I was worried earlier, the list is really distributed as RSC full of commands to add entries. This might be more optimized by distributing simple text file and parsing it directly in router. It will make downloaded file smaller and also remove possible risk from downloading malicious script

• There is some attempt to minimize downloading by firstly fetching smaller TXT files which either have some content or is empty. However, as there are no parameters submitted while downloading these "diffs" files, it simply cannot truly represent difference between already applied settings in router and current list on the server. What "diff" it really represents is pure mystery to me
  • if I manually run the downloader script again and again, my lists were downloading again and again (but they should not as I already had newest version applied)
  • I would expect the diff file to be dynamically generated based on last version downloaded by the specified username. That would obviously require some back-end with database to store info, which version was downloaded by each user last time

Thank you for conducting the tests and providing your comments.

MOAB Downloads are protected using HTTPS-Auth - encrypted - since I am using mode=https

For Text file processing I am not aware that the 4096 characters in size limitation has been changed --- all the lists I provide are large -- I would much prefer to use txt vs rsc but until the file sie limitation is changed I'll stick with RSC's.

The diff files currently provide a very simple method to determine if a download is needed -- if empty no download -- if it has content download.the replacement -- what I eventually will do with the diffs is if they do contain new content take that content and add/subtract to the existing list -- however its quite a bit more complex than my simple description -- I much rather take the KISS approach currently.. FYI, the diff files when they do contain content -- that content is the new IP's being added and some IP's that may need to be removed.

You are correct that I currently do not use a DB approach to user control because that would add significantly to the cost and I want to keep the cost as low as possible. Abuse is monitored on a daily basis and as soon as it is spotted that account is terminated.

I noticed that the account I provided you was not accessed?
[EDIT} I just now [2018 08 13 @ 10:01 AM] did another audit and see for the first time that you have 11 account access calls . -- I assume to support your earlier comment.

Stupid question, why a RAW and Filter drop rule? Can't there be 1 rule in RAW which kills everything on the list?

Stupid question, why a RAW and Filter drop rule? Can't there be 1 rule in RAW which kills everything on the list?

That question is answered in the prerequisites link which I will reproduce here for you with a little more detail.

The Firewall rule for MOAB2 must be placed in IP Firewall Filter and not in RAW otherwise your VoIP service may not work plus certain websites will fail to load.

When 1 rule was used In my test bed using 20 geographically dispersed users they all reported that their VoIP stopped working and they could not access their web based VoIP control panels -- I am not going to detail the conversations I had with the VoIP providers -- all legitimate operators, .... so I changed the methodology and decided on 2 rules -- and this time VoIP + control panel worked for all test bed users.

Not including Trial Participants frim this community, so far I currently have close to 400 MT routers using MOAB and zero complaints on not being able to reach the content or service they want to reach -- I do have many reports of how many drops are taking place to their delight -- the high numbers [millions] are quite remarkable to me.

You don't include any detail on how your blacklists are created or maintained, what the source sample is to determine which sites should be blacklisted, etc. So why exactly would someone decide to pay you $60/year for a service with no specifications of what the service is? Especially when there are several free options out there, so you need to provide some detail as to what makes your blacklist worth far more than the hardware that it runs on.

You don't include any detail on how your blacklists are created or maintained, what the source sample is to determine which sites should be blacklisted, etc. So why exactly would someone decide to pay you $60/year for a service with no specifications of what the service is? Especially when there are several free options out there, so you need to provide some detail as to what makes your blacklist worth far more than the hardware that it runs on.

@effndc
People reading my MOAB links can easily find a great deal of detail on where I get the data for MOAB.from -- I make no secret of it. So to help you out each one of my MOAB links contain the following information:

IF you're wondering how we identify over 600 million unique IP addresses of known malicious or suspicious entities that we term as the Bad Guys? MOAB is extracted on a daily basis - 3 times each day - from All Cybercrime IP Feeds by FireHOL where that amazing number is derived from. After extraction we specifically engineer the blacklist to work in MikroTik Firewall Appliances and hosted on our web server.

Some Additional info :
At the server level I use Perl to do all the hard work of putting the data into RSC formate etc. From FireHOL I downlaod and work with the following Lists:
level1.netset
level2.netset
level3.netset
webclient.netset
webserver.netset
I do not develuge which mix I use for which track --- because that is a moving target.

As to why would someone pay USD$60 per year -- because I believe that my service provides good value and does a excellent job as a superb blacklist system that traps a LOT of IP's --- I have had no reports of any false positivs up to today -- MOAB has been in operation since May of 2018 --- I oferred 20 people from this MikroTik community the opportunity to try out the service free of charge till September 30, 2018. If People here would be pleased with the Trial and wanted to continue they could by paying the price after the expiry date and I am hoping that the satisfied MicroTik users reading this BOARD would post their commentary --- as one did recently.

Currrently I still have 5 Free Trial Slots avaailable.

@mozerd:
I made couple of manual downloads in browser before I let the script in my device. Then my device did 3 downloads of diffs (each has two files so 6 calls total), 3 downloads of mtiptik (because said it needs update everytime) and 0 downloads of wsiptik (because diff said this one does not require update). In total it adds up to 11 calls. It is true that i did these downloads shortly before sending my response. Unfortunately I didn't have time to do the test earlier. Also, after end of test, I disconnected the device and cleared all config so there will be no more calls from my account. Feel free to disable the account or give it to some other user. I really appreciate the chance to test it.

ad parsing file: Gosh!! I didn't know about such limitation. That is ridiculous. Now I realize you really had not much choice.

For People wonderring whats coverred by MOAB as of August 16, 2018 --- following provides the deep breath of Scope

MOAB1
(a) includes: bambenek_c2 dshield feodo fullbogons spamhaus_drop spamhaus_edrop sslbl zeus_badips ransomware_rw
6,453 subnets, 636,272,205 unique IPs

Included for: memory constrained MikroTik Routers
Included for: well provisioned MikroTik Routers

(b) includes: blocklist_de dshield_1d greensnow
19,142 subnets, 33,737 unique IPs

NOT Included for: memory constrained MikroTik Routers
Included for: well provisioned MikroTik Routers

(c) includes: ransomware_online sslbl_aggressive cybercrime dyndns_ponmocup maxmind_proxy_fraud
5,769 subnets, 5,917 unique IPs

Included for: well provisioned MikroTik Routers
Included for: memory constrained MikroTik Routers

MOAB2
(d) includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic
4,925 subnets, 34,669,212 unique IPs

Included for: well provisioned MikroTik Routers
Included for: memory constrained MikroTik Routers

A FYI update

All Free Trial slots have now all been taken up.
The MOAB server is currently consuming 2.6 GB of bandwidth daily based on 441 participants.
MOAB 1 for well provisioned Routers has grown in size to 1.8MB due to a fairly dramatic increase in criminal activity cumming out of Russia and Iran
MOAB 1 for memory constrained Routers remains at 500KB in size

An interesting note: 225 people applied for the Free Trail but 205 refused to provide the Prerequisites .....

A reminder for all MOAB users, EST is now in effect.

If you set your MikroTik router to some time server no adjustments needs to be done.

MOAB's default is based on the following

A FYI update

All Free Trial slots have now all been taken up.
The MOAB server is currently consuming 2.6 GB of bandwidth daily based on 441 participants.
MOAB 1 for well provisioned Routers has grown in size to 1.8MB due to a fairly dramatic increase in criminal activity cumming out of Russia and Iran
MOAB 1 for memory constrained Routers remains at 500KB in size

That is an amazing throughput, congrats on the progress and the continuing maturity of the product/services. Have you considered expansion into other areas of use such as Layer 7 programming?
Specifically, the areas of concern besides trolling IPs/botnets etc are
a. bitcoin mining
b. hijacks (encrypting hard drives and extorting for cash)
c. other exploits out there that the common person like me has no clue about.

(or are much of these not preventable in that a USER on a network lets a bad guy in and then its game over??)

A FYI update

All Free Trial slots have now all been taken up.
The MOAB server is currently consuming 2.6 GB of bandwidth daily based on 441 participants.
MOAB 1 for well provisioned Routers has grown in size to 1.8MB due to a fairly dramatic increase in criminal activity cumming out of Russia and Iran
MOAB 1 for memory constrained Routers remains at 500KB in size

That is an amazing throughput, congrats on the progress and the continuing maturity of the product/services. Have you considered expansion into other areas of use such as Layer 7 programming?
Specifically, the areas of concern besides trolling IPs/botnets etc are
a. bitcoin mining
b. hijacks (encrypting hard drives and extorting for cash)
c. other exploits out there that the common person like me has no clue about.

(or are much of these not preventable in that a USER on a network lets a bad guy in and then its game over??)

Hi Anav

a. bitcoin mining is included for both MOAB tracks --8,220 unique IPs -- I added bitcoin when FireHOL provided a feed that was stable and it is working quite well.
b. hijacks has been in MOAB from the start.
c. I believe that FireHOL=Level1 covers the widest rage of exploits [and attacks] out there and has been in MOAB from day 1 of this project. Currently 455 MikroTik Routers are running MOAB [over 200K users] and to-date I have not had one Router Admin complain of any issues. I have had to rearrange some Fire rule placement for some of my clients who requested that I install MOAB for them because their rule placement would have made MOAB ineffective. YES Rule Placement is VITALLY important for MOAB to work properly in the protection game. My prerequisites web page provides a Rule Order graphic that I insist on for ALL my MOAB clients.

I currently have no plans for Layer 7 filtering because my capability in that area is very weak. Once I feel I have completely understood all the implications especially on performance I will consider its inclusion.only for the VERY capable machine.

Yes the biggest issue is when a USER gets caught on an enticement that is script driven usually embedded in an email; or brought in via memory stick and introduced internally. That is where Layer 7 plays a role at the workstation level or via a powerful UTM where Layer 7 traps are common. Layer7 traps places a significant load on the CPU.

UPDATE

EFFECTIVE November 12, 2018 MOAB will also work on MikroTik Routers that do not incorporate USB memory storage.

So for example MikroTik Routers models like the RB4011 using NAND flash memory will now work with MOAB
or any MikroTik RouterBoard that utilize SSD storage will also be able to have MOAB work.

The PREREQUISITES web page has now been updated to reflect the above.

Based on many requests I have received via email the following is now in effect for MikroTik Community Forum participants

From today [November 15, 2018] and until December 31, 2018 MikroTik users who contact me at mozerd@itexpertoncall.com and qualify by providing the prerequisite information can use MOAB at no charge.

For those participants who find the service to their liking and want to continue for Calendar Year 2019 Subscription Payment via PayPal must be received by December 15, 2018. For those that do not provide payment on December 15, 2018 your accounts will be deleted on midnight December 31, 2018.and your MOAB subscription will no longer receive further updates from the service.

UPDATE

MOAB has grown in size

For well provisioned MikroTik Routers like the CCR's etc MOAB is now close to 3 MB

For all other MikroTik Routers much like the hEX and the hAPac2 MOAB is now 1..1 MB

The reason : a very dramatic increase in attacks coming out of Russia, China, Pakistan, Poland, Iran, and believe it or not the USA.

Can MOAB be used on CHRs?

Can MOAB be used on CHRs?

I have no experience with MikroTik CHR. -- I do not see why it could not be used. But if you would like to test it out I would be happy to accommodate.

The key component is how much available RAM memory is available and storage requirement like USB memory stick or SSD. Check out my prerequisites link for info and you'd like to give it a try send me an email with your details.

Thx, I'll send you email a bit later. I'm wondering just because there's no Serial Number in CHR, so it doesn't meet your prerequisites

I'm wondering just because there's no Serial Number in CHR, so it doesn't meet your prerequisites

OK, I can create a unique serial number for your CHR instance and tie that to your IP address assuming your WAN IP is static. If you are using multiple WANs per CHR then you'll need to ID the IP's [in your email] for the CHR in use and I'll tie those to the account created. Looking forward to working with you to see how MOAB works on the CHR.

there is a "system-id" in

there is a "system-id" in

Code: Select all

/system license

Thank you vecernik87, for the CHR system-id would work for me.

I'm interested in testing this for my home. Do you offer like a 30 day trial?

I'm interested in testing this for my home. Do you offer like a 30 day trial?

Check out
viewtopic.php?f=2&t=137632#p697948
for answer to your question.

UPDATE:

MOAB must be having an impact because the Chines RED Army is trying very hard to crack my MOAB hosting sites.
The following IP 222.186.23.24 is hammering my webhost but so far I have not had any complaints of service unavailability.

This 222.186.23.24 adresss belongs to:
CHINANET-JS
CHINANET jiangsu province network
China Telecom
A12,Xin-Jie-Kou-Wai Street
Beijing 100088

MOAB is load balanced in 3 countries, USA, Germany and Hong Kong, so if any one goes down it switches. I may ask my provider to move the HK server to Singapore.

That would be a wise move in my estimation.

That would be a wise move in my estimation.

Yep, the HK server will be moved to Singapore within the next hour just confirmed.

Thx, I'll send you email a bit later. I'm wondering just because there's no Serial Number in CHR, so it doesn't meet your prerequisites

@Chupaka
How is MOAB working for your CHR implementation? Looking forward to your constructive feedback.

Wishing ALL a Blessed Christmas ...

@Chupaka
How is MOAB working for your CHR implementation? Looking forward to your constructive feedback.

Thanks, so far so good. Lists are updated on schedule, changing System ID doesn't break anything Suspicious connects from addresses in lists are being catched

Merry Christmas!

Free Trial Period end at midnight Monday December 31, 2018.

To continue with MOAB without service disruption, your subscription payment must be made by end of of Day today otherwise Free Trial Account will be deleted at 5 minutes past midnight. Subscription payment of USD$120 via PayPal Link.

Thanks to all that took advantage of the Free Trial. Happy New Year to ALL

MOAB 14 day FREE TRIAL Period now available to MOAB FIRST Time users.

Effective immediately a 10 day MOAB FREE Trial Period is available to MOAB First Time Users who want to trial MOAB prior to purchasing a subscription - MOAB First Time Users must request the MOAB Free Trial Period with a Yes or No when providing their info as required in the prerequisites web link. At the end of the MOAB Free Trail Period - on the 10th day - if First Time User wish to continue with MOAB user must make the Subscription Payment via PayPal otherwise your Trial Account will be deleted end of that day. For those First Time MOAB users the MOAB Trial Period begins on the day your MOAB account is accessed by your MikroTik's Router's serial number.

Please stop using the forum as an advertisement platform.
Place a link to your website once where you advertise your business and be done with it...

Free Trial Period end at midnight Monday December 31, 2018.

No New Year miracle had happened =(

Free Trial Period end at midnight Monday December 31, 2018.

No New Year miracle had happened =(

Miracles are expensive to dish out .. very best wishes!

UPDATE FYI

Effective immediately I will no longer be providing MOAB for RB4011 devices. The RB4011 uses NAND memory == MOAB write/reads 4,300 times over a period of 365 days which may be deleterious to the RB4011 Router's life span

MOAB will only be supported on MikroTik Routers that utilize USB memory or SSD disk memory for file storage.

Please stop using the forum..........
Place a link to your website onc............

Please use the proper forum method for posts that you feel are not warranted, the triangle symbol with the question mark.
Yes, I triangled your post as spam!

UPDATE FYI

Effective immediately I will no longer be providing MOAB for RB4011 devices. The RB4011 uses NAND memory == MOAB write/reads 4,300 times over a period of 365 days which may be deleterious to the RB4011 Router's life span

MOAB will only be supported on MikroTik Routers that utilize USB memory or SSD disk memory for file storage.

CLARIFICATION:
Any MikroTik RouterBoard that does not provide the ability to add either a microSD card or USB memory stick or SSD disk for file storage will not qualify for the MOAB service. Because MikroTik NAND memory is soldered on the board its not replaceable -- MOAB writes 4,300 times over a period of 365 days which may be deleterious to the Router's life span if the NAND memory becomes exhausted.

For MikroTik CHR instances we will provide a special Serial Number for the instance you will be running that will be tied to its Public Facing IP Address. At the Root level you must create a directory called moab. The very same applies to x86 based MikroTik Routers.

PREREQUISITES First

UPDATE

I am in the process of creating a MikroTik specific blacklist for VoIP and specifically aimed to protect against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's

I currently have one prospective client who is trialing this blacklist and providing me with very good feedback. This client is a startup cloud hosting VoIP provider [using 2 instances of the MikroTik CHR router] that is getting a lot of SIP / VoIP attacks and who initially requested MOAB to see if that could help his org -- subsequently he suggested a list [voipBL] he was familiar with and asked if I could include that list in my MOAB subscription offering. As an experiment I did generate a MikroTik specific list for him and so far he claims that all attacks on his infrastructure have stopped.

So I am looking for some additional orgs [users] who may be interested in TRIALING this VoIP specific blacklist [containing approx. 64K ip addresses whose RSC file is 2.3 MB] .. The Trial period will be for 30 days or ending on March 10, 2019 …. the list is updated every 4 hours however if the update does not receive/remove any IP addresses my system will only provide the update if an actual change has been made. The Trial is free of charges. I have not as yet determined what I will be charging for this service -- whether I will include this as part of the MOAB subscription or treat this as a niche offspring. Suggestions are welcome If interested send me email mozerd@itexpertoncall.com

PREREQUISITES First

Mozerd can you clarify if this functionality is for providers or for the end users? I use VoIP at home and my service is never interrupted and thus was wondering???

Mozerd can you clarify if this functionality is for providers or for the end users? I use VoIP at home and my service is never interrupted and thus was wondering???

aimed to protect against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's

Primarily for providers who have publicly accessible PBX's.

I also use VoIP using 3 providers and MOAB does an excellent job providing me a SHIELD of protection for my VoIP gear + + + -- I do not use a PBX.

Buy a raspberry pi3 then install PiHole DNS server on it for free. You dont need to pay any money for MOAB

Sent from my C6833 using Tapatalk

Buy a raspberry pi3 then install PiHole DNS server on it for free. You dont need to pay any money for MOAB

Or simple use well known squidblacklist.org for free.
viewtopic.php?f=9&t=104020&p=536327#p536327

Just a reminder in case the casual lurker is interested THAT
MOAB blocks over 600 MILLION IP Addresses of known perpetrator's [the Bad Guys] … that's over SIX HUNDRED MILLION …. no other blacklist for MikroTik specific gear does that to the best of my knowledge.

PREREQUISITES First

Just a reminder in case the casual lurker is interested THAT
MOAB blocks over 600 MILLION IP Addresses of known perpetrator's [the Bad Guys] … that's over SIX HUNDRED MILLION ….

In other words, MOAB blocks more than 16% (SIXTEEN PERCENT!!!) of all ipv4 routable addresses

Just use the ultimate blacklist: 0.0.0.0/0
That keeps out all the known perpetrators - at least until you get IPv6.

Just a reminder in case the casual lurker is interested THAT
MOAB blocks over 600 MILLION IP Addresses of known perpetrator's [the Bad Guys] … that's over SIX HUNDRED MILLION ….

In other words, MOAB blocks more than 16% (SIXTEEN PERCENT!!!) of all ipv4 routable addresses

@Chupaka
To be precise the actual number as of today is 629,969,755 …. that's Six hundred and Twenty Nine MILLION Nine Hundred and Sixty Nine Thousand Seven Hundred and Fifty Five perpitrators and that is for Memory constrained Routers like the hEX and the hAPac2 … WOW … simply amazing …. And that number is much bigger for CHR's like you have Chupaka min: 629,969,747 max: 630,361,162

The PRINCIPAL focus of MOAB is mainly related to preventing on-line attacks, on-line service abuse, malwares, botnets, command and control servers and other cybercrime activities …

So, every 6th address in IPv4 is attacker, abuser, etc?

So, every 6th address in IPv4 is attacker, abuser, etc?

I'd say there are even more attackers / abusers / etc than one sixth of internet users ... personally I'd declare every youtube user as abuser and every twitter user as attacker ... not sure about facebook users, most are probably both attackers and abusers

Chupaka you make the fatal assumption that one bad guy is on a one to one level with good guys. A bad actor will continually hammer and probe and hack repeatedly and thus they appear to be the work of at least six normal users LOL. That is probably a conservative estimate. Heck seeing where you are from, I would say you are already compromised or part of the problem. ;-P
Just give me your IP address so I can add it to my block list, and by that I mean all 11 of them, including the 10 servers that change IPs between your PC and this forum. If that is your real name or real location.......... heck, there is no way you are that handsome.

Hum...

why not deliver via BGP and on site do blackhole routes with routing filters?
it would not rape the storages and cpu at all.
you could account the bgp peers with the 60 bucks and secure it with vpn and just use ibgp.
a client can secure its router by some deny rules. for example to net let you announce 0.0.0.0/0 and stuff.
updates would be immediate.

why not deliver via BGP and on site do blackhole routes with routing filters?

Remember this is a project from a guy who wants to make quick money from re-distributing other people's data.
Of course there are better ways to do it, but why would he care as long as he gets the paying customers and makes them happy?

Hum...

why not deliver via BGP and on site do blackhole routes with routing filters?
it would not rape the storages and cpu at all.
you could account the bgp peers with the 60 bucks and secure it with vpn and just use ibgp.
a client can secure its router by some deny rules. for example to net let you announce 0.0.0.0/0 and stuff.
updates would be immediate.

1 .. I do not have a great deal of experience using BGP let alone iBGP
2. .. The one lesson I learned in my business LIFE is to always KISS and as a Tech guy KISS is one rule I have zero plans on breaking.
3 ... YES You do make very good points I am now intrigued that I will consider for the future once I gain the required BGP experience and understand all its impacts based on the MikroTik RESOURCES I would like to support. Is there enough time in a day for intrigue?

why not deliver via BGP and on site do blackhole routes with routing filters?

Remember this is a project from a guy who wants to make quick money from re-distributing other people's data.
Of course there are better ways to do it, but why would he care as long as he gets the paying customers and makes them happy?

He is merely offering a service that he ALREADY provides for his clients doing what he thinks is best to keep them from getting hacked.
He doesn't need anybody from this forum to use the service. If you think $60 bucks a year is too much, then don't use it. I spend more money on coffee alone in half a month, so put your whining in perspective. Finally there is a saying, put up or shut up, if you have something better to offer then please do so. This is just the beginning Pe1chl, I am going to ask you this question on every post of yours I see in every forum. I will ask you , where is your better offer.......... Are you ready for that?? I'm tired of so called experts here maligning without context or merit.

UPDATE

I am in the process of creating a MikroTik specific blacklist for VoIP and specifically aimed to protect against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's

I currently have one prospective client who is trialing this blacklist and providing me with very good feedback. This client is a startup cloud hosting VoIP provider [using 2 instances of the MikroTik CHR router] that is getting a lot of SIP / VoIP attacks and who initially requested MOAB to see if that could help his org -- subsequently he suggested a list [voipBL] he was familiar with and asked if I could include that list in my MOAB subscription offering. As an experiment I did generate a MikroTik specific list for him and so far he claims that all attacks on his infrastructure have stopped.

So I am looking for some additional orgs [users] who may be interested in TRIALING this VoIP specific blacklist [containing approx. 64K ip addresses whose RSC file is 2.3 MB] .. The Trial period will be for 30 days or ending on March 10, 2019 …. the list is updated every 4 hours however if the update does not receive/remove any IP addresses my system will only provide the update if an actual change has been made. The Trial is free of charges. I have not as yet determined what I will be charging for this service -- whether I will include this as part of the MOAB subscription or treat this as a niche offspring. Suggestions are welcome If interested send me email mozerd@itexpertoncall.com

UPDATE

Decision has been made re pricing for the voip blacklist Primarily for VOIP Providers who have publicly accessible PBX's.
As a standalone voipTIK blacklist the subscription fee will be US $72 annually per Router or CHR instance
As a sub to MOAB the add-on premium will be US $36 annually -- so MOAB @ $60 + voipTIK @ 36 = $96/yr.

PREREQUISITES First

UPDATE

Effective March 15, 2019

for memory constrained MikroTik routers like the hEX and hAPac2
wsiptik.rsc will now be integrated into mtiptik.rsc and that will eliminate approximately 550 duplicate ip addresses.

for well provisioned MikroTik routers including the CHR and the x86
wsiptik.rsc is being integrated into fileiptik.rsc and that will eliminate close to 7K duplicate ip addresses

Then end result will mean that this consolidation will help to save system resources regardless of which model of MikroTik Router is being deployed with MOAB thereby improving MOAB’s efficiency when called upon by the system.

PREREQUISITES First

voipBL protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's

If you spend the time to actually READ through link below you actually will see very interesting information.
Evolution of voipbl

voipTIK

PREREQUISITES First

Huge spike Notice the huge spike in attacks March 5 to TODAY

MOAB includes firehol_level2 in its blacklist for MikroTik Routers having a minimum of 1 GB of RAM

PREREQUISITES First

Based on March 12, 2019 Check out Change History for FireHOL_Level2 Based on March 12, 2019 Check out Country Map Covered by FireHOL_Level2 MOAB includes firehol_level2 in its blacklist for MikroTik Routers having a minimum of 1 GB of RAM

Did you know that MOAB includes the following for amply provisioned MikroTik Routers:
firehol_level1
firehol_level2
firehol_level3
firehol_webclient
firehol_webserver

Did you know that MOAB includes the following for memory constrained MikroTik Routers:
firehol_level1
firehol_webclient
firehol_webserver

PREREQUISITES First

DID you KNOW

that MOAB designed to protect YOUR network for amply provisioned MikroTik Routers
AND for memory constrained MikroTik Routers include FireHOL-Level1 block list

And within firehol_level1 among the 628 million ip addresses covered
includes
100% of spamhaus_edrop and
100% of spamhaus_drop

What is spamhaus_drop and spamhaus_edrop

spamhaus_drop (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The spamhaus_drop and EDROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.

EDROP is an extension of the spamhaus_drop list that includes suballocated netblocks controlled by spammers or cyber criminals. EDROP is meant to be used in addition to the direct allocations on the spamhaus_drop list.

When implemented at a network or ISP's 'core routers', spamhaus_drop and EDROP will help protect the network's users from spamming, scanning, harvesting, DNS-hijacking and DDoS attacks originating on rogue netblocks.

Spamhaus strongly encourages the use of spamhaus_drop and EDROP by tier-1s and backbones.

PREREQUISITES First

Notice of CHANGE to subscription model.

OLD method: Annual Subscription was based on your Mikrotik Serial number
New method: Annual subscription will now be based on your WAN IP Address ...

For organizations that have multiple TIKs --- serial number subscriptions will change to account number subscriptions that supports all the Tik's at the same time. -- for example, if you have 15 Tiks your account number will now support all the Tiks you manage.

Celebrating 1 billion hits ON A DAILY BASIS >>>> based on 600 Tik Routers using MOAB. Thanks to all my users.

NOTICE of MOAB subscription price change:

For new users and effective June 1, 2019 annual subscription cost will now be USD $120 ....

Existing users will be subject to the price increase upon renewal of service.

What was the cost before the price hike? What is the percentage increase and why is the increase necessary?

What was the cost before the price hike? What is the percentage increase and why is the increase necessary?

What was the cost before the price hike? US $60 per year
What is the percentage increase and why is the increase necessary? percentage increase is 100% ....
my bandwidth costs have doubled so it is necessary to double the subscription price. So if one wants to break it down on a per month bases its US $10 vs US $5 previously ... however I do not accept monthly subscriptions only Annual subscriptions.

Earlier you said you had 600 users. So, assuming they won't run away now, that will bring you 600x120 = $72000 per year or $6000 per month.
When that is to cover hosting/bandwidth (and it appears to be, as you say doubling your bandwidth cost requires you to double your subscription cost), you have some incredibly expensive hosting/bandwidth there!

(and I don't think you have many other costs, as the data sources you use are free and you are using this forum to get your advertising for free)

(and I don't think you have many other costs, as the data sources you use are free and you are using this forum to get your advertising for free)

65% of my business for MOAB is derived from systems my organization builds for people and sold into my local marketplace and the USA .... 5% is derived from This Forum. If you look at my sig you can very easily see that I promote MOAB heavily using my website. Word of mouth gets me the balance and 98% of that are MikroTik systems.

I operate a for profit enterprise. FYI, so far all my MOAB users have expressed great satisfaction with my service -- not ONE complaint.

you wrote: "my bandwidth costs have doubled so it is necessary to double the subscription price"
that isn't true. your bandwidth costs may have increased but primarily you want to double your profit.
of course you are free to want/do that, but don't misrepresent the reason for your price doubling.

But don't misrepresent the reason for your price doubling.

No misrepresentation ... my bandwidth costs have doubled so based on that I decided I would double the price for a subscription. Thanks for your interest in my business affairs .. to me you pe1chl sound like a Socialists/communist.

Is this a giant Tell-Sell storyboard or what? This is advertisement for an unrelated business to MikroTik.
MikroTik please end this thread. It is not about support, but about profit for another company.

Please use other ways to advertise your product. MikroTik has "MFM" page here: https://mikrotik.com/mfm/software