Community discussions

 
ciberica
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Mar 19, 2018 6:22 am

victim of attack PPPOE

Thu Apr 18, 2019 10:30 pm

I think I'm being the victim of an attack because in the log I get what appears in the image and this causes me to block the computer.

I have managed to find out which sector is the problem but I do not know how to block this ip address. Can you help me?

I currently use a radius server to authenticate by PPPOE
You do not have the required permissions to view the files attached to this post.
 
mistry7
Forum Guru
Forum Guru
Posts: 1223
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: victim of attack PPPOE

Mon Apr 22, 2019 7:11 am

Whats your Problem, of this User does not have valid usernane and Password, what should je do?

This Messages Are Not an real Attack,
Of the MaC Adresse change Every Time, this would
I Call an attack


If you do the PPPOE config on your SXT eg, this is an Mikrotik Device. Look at Mac, Look at AP Registration Table dir this Mac
 
ciberica
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Mar 19, 2018 6:22 am

Re: victim of attack PPPOE

Mon Apr 22, 2019 10:38 am

Hi, what can I do? I created rules in the bridge to block the mac. Because when it takes 5 minutes maximum blocks the router and restarts and so continuously.

How can I avoid it ...?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5358
Joined: Mon Jun 08, 2015 12:09 pm

Re: victim of attack PPPOE

Mon Apr 22, 2019 1:14 pm

Put WPA2-EAP authentication on your WiFi with the same user/pass as used on PPPoE (to reduce user confusion).
So the user first connects to your WIFi using their credentials, then once successful they establish the PPPoE with those same credentials.
This solves the problems caused by having open WiFi.
 
ciberica
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Mar 19, 2018 6:22 am

Re: victim of attack PPPOE

Mon Apr 22, 2019 2:33 pm

I do not have the wifi open, I have security wpa2, and once it connects to the network with the credentials the pppoe dial is made
 
pe1chl
Forum Guru
Forum Guru
Posts: 5358
Joined: Mon Jun 08, 2015 12:09 pm

Re: victim of attack PPPOE

Mon Apr 22, 2019 7:49 pm

You will have to analyze the situation and find what is going wrong.
And then adjust something in your network so it cannot happen anymore.

It is not possible to give you advise because you provide so little information.
 
ciberica
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Mar 19, 2018 6:22 am

Re: victim of attack PPPOE

Sat May 04, 2019 1:24 pm

What more data do you need? Ask them and I will be happy to facilitate them?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5358
Joined: Mon Jun 08, 2015 12:09 pm

Re: victim of attack PPPOE

Sat May 04, 2019 2:57 pm

It is nearly impossible to do such analysis via a forum.
You know your own network, you know what is happening, and you post a screenshot saying there is an attack.
Could be, but for all purposes it could just be a paying customer with a problematic connection.
You will have to research those things yourself.
 
sindy
Forum Guru
Forum Guru
Posts: 3499
Joined: Mon Dec 04, 2017 9:19 pm

Re: victim of attack PPPOE

Sat May 04, 2019 6:10 pm

The very first thing I'd do would be to set the pado-delay parameter of /interface pppoe-server server to something like 2000 (I believe it's milliseconds). If the client implementation is not crazy, this should make it re-send the PADI less frequently than six times a second. It won't neccessarily make it wait all those 2 seconds, it may not be that patient, but it's worth trying anyway.

Regardless whether the above helps or not, I'd check whether the requests coming from that MAC bear a valid username and password. This should be better visible in the log of the RADIUS server than in the Mikrotik's one, but activating the debug using /system logging add topics=pppoe may be sufficient to see something useful in Mikrotik's log.
  • if they don't, it is either an illegal user, or a legal one who has made a typo when entering the credentials. An illegal one is unlikely to be so stubborn, a legal one would probably have already come and asked why the connection doesn't come up. When the authentication is done locally against /ppp secret, its failure is logged as error, but I don't know how it looks like when RADIUS is used, so maybe you need the debug to see authentication errors in this case.
  • if they do, the connections should be establishing well, because to get to the stage of PPPoE connection established, a bi-directional exchange must have taken place before (the server receives PADI, answers with PADO, and the client sends a PADR based on reception of the PADO). So in that case, the connections must be breaking at some later stage, possibly due to some issue with address configuration constraints not compatible between the client and the server. Again, a debug will tell you more about what is going on after the authentication phase completes successfully.
Even if delaying PADO doesn't help, the CPU load comes from the complete handling of the PPPoE incoming connection; just dropping six frames per second using a single rule in /interface bridge filter is nothing that should make your CPU sweat. So while you are not analysing the behaviour, that rule should prevent the reboots from happening.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ciberica
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Mar 19, 2018 6:22 am

Re: victim of attack PPPOE

Sat May 04, 2019 8:55 pm

Thank you very much, I have been very helpful, I'm going to put on all the challenged to 2000ms and with that I have already lowered the CPU a lot, I have also found the attacker, it seems a firmware problmea of a sxt lite AC 5

Again, Thank you very much for your help
 
User avatar
inteq
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Wed Feb 25, 2015 8:15 pm

Re: victim of attack PPPOE

Mon May 06, 2019 11:05 am

Might not be your case, but many users are having problems with pppoe-client looping.
Who knows, it might be the same in your case, a stuck in a loop mikrotik router trying to connect to your pppoe server.
See: viewtopic.php?f=2&t=121047 for example.

Who is online

Users browsing this forum: No registered users and 27 guests