Dear MTik,
Been a very long time user, etc. I'm used to things not being implemented perfectly in ROS from time to time, but now I have kind of a bigger issue. There's a sea o RBs we installed at various locations, some of those we manage directly, some locations we jump in when needed.

At one site it happened. ROS was not updated, also Winbox was made available to the Internet-facing interface. Great. So now it got hacked. So ok, we resolved that. Upgraded, changed password, restored the proper config, etc. But before restoring the config I looked around to see what the attacker did with the device. So I discovered that the attacker:
- brought up a web proxy
- brought up SOCKS
- looks like it tried something with IPSEC, but that didn't look functional
- enabled DDNS, under ip/cloud
- changed a few firewall rules to make proxy work for users on the net

So the purpose was, I guess, to redirect traffic through - to use it as a cloak for... attacks ? spam ? I don't really know.

The reason I'm writing all this is that I can't get traffic to stop coming in. All that traffic is now dropped, of course, but the reason we are still receiving all this traffic is the damn DDNS record that won't go away. ROS manual for ip/cloud states that when you disable DDNS, ROS will send a message to your servers to REMOVE the DNS record. Only it doesn't really do that. Tried quite a few times. Tried checking with geo DNS query later - and well, the record is still alive and doing well. That's 1 day after it's supposed deletion took place.

Dear MTik, I want to stop packets coming to that router. While I'm fully aware you can't do much to stop Internet traffic reaching that router, you should be able to help me remove the DNS record from sn.mynetname.net ! Please just tell me how, now that I've found the built-in functionality doesn't work, and there's no other way that I know of, to delete it manually. At least not from my side. The problem is this router is on a static IP, that address won't ever change, so... I have an interesting situation.

Kind regards,
Lucius

ROS manual for ip/cloud states that when you disable DDNS, ROS will send a message to your servers to REMOVE the DNS record. Only it doesn't really do that. Tried quite a few times. Tried checking with geo DNS query later - and well, the record is still alive and doing well. That's 1 day after it's supposed deletion took place.

You'll have to downgrade to 6.42.7 or lower, then disable DDNS, after which you can upgrade to >= 6.43 again.

From changelog 6.43:

MAJOR CHANGES IN v6.43:
----------------------
!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);

But,

The reason I'm writing all this is that I can't get traffic to stop coming in. All that traffic is now dropped, of course, but the reason we are still receiving all this traffic is the damn DDNS record that won't go away.

Are you sure the attacker uses your ddns entry to connect? Could just be the static ip.

Thank you for your answer,

You'll have to downgrade to 6.42.7 or lower, then disable DDNS, after which you can upgrade to >= 6.43 again.

From changelog 6.43:
MAJOR CHANGES IN v6.43:
----------------------
!) cloud - reworked "/ip cloud ddns-enabled" implementation (suggested to disable service and re-enable after installation process);

That changelog doesn't really say anything about no longer being able to delete a DNS record, also no such thing is reflected in the Wiki. How are you sure about this ?
Also, does anyone have any idea why someone would make it impossible to remove the DNS record in this version ? Since, your post makes it sound like this change wasn't a bug. I see no logic in such change, presuming it was intended.

Are you sure the attacker uses your ddns entry to connect? Could just be the static ip.

Well, there's no way to be sure, of course. But, since the attacker brought up the DDNS service I see that as a good indication it's using it.
Also, I want to remove it since I have no need for it and I don't want to expose the IP unnecessarily. While we're at it - I do find the implementation of such DDNS somewhat unsafe, although it seems to have a practical use for some, so it's not entirely a bad thing to have it as an option. It's just VERY bad not to be able to delete the DNS record ! This particular case points out the issues nicely.

Is there really no other way for me to remove the DNS record without downgrading ROS ??

MikroTiks DDNS moved from cloud.mikrotik.com to cloud2.mikrotik.com. Unless you can reverse engineer the update mechanism ("kind of urgently"), you're better of downgrading/disabling/upgrading.

Related topic: viewtopic.php?t=135603

MikroTiks DDNS moved from cloud.mikrotik.com to cloud2.mikrotik.com. Unless you can reverse engineer the update mechanism ("kind of urgently"), you're better of downgrading/disabling/upgrading.

Related topic: viewtopic.php?t=135603

Bummer
This "upgrade path" they've taken is... quite ridiculous. Why the old record is not removed automatically on the server side API the new version uses, is completely beyond me. Nasty.

But, thank you very much for this information. I wouldn't have found it.

I guess I'll try downgrading the unit later this afternoon, when people leave the office. Have to read more about the process, never done it before. Not sure how safe that is to do - I have to do it remotely. And it's not just a minor version number change here. Not feeling at all good about doing that remotely.