Community discussions

MUM Europe 2020
 
Luri
just joined
Topic Author
Posts: 4
Joined: Tue Jun 07, 2016 8:20 pm

Router under Ddos atac on port 53 and 389.

Tue Sep 24, 2019 1:22 pm

Hello, im havin atac ishue on my router. Im not able to prevent it. Need help please!
add action=drop chain=input disabled=yes in-interface=SFP1-combo1 log=yes \
    protocol=udp
add action=drop chain=forward disabled=yes in-interface=SFP1-combo1 log=yes \
    protocol=udp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Detect Port Scanners" dst-port=\
    21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=\
    SFP1-combo1 protocol=tcp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Detect UDP WAN DNS Lookups to prevent DDoS" \
    dst-port=53 in-interface=SFP1-combo1 protocol=udp
add action=drop chain=input comment="Drop Blacklisted Hosts to Router" \
    in-interface=SFP1-combo1 src-address-list=BlackList
add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" \
    in-interface=SFP1-combo1 src-address-list=BlackList
add action=drop chain=input comment="Drop port scanners" src-address-list=\
    PortScanners
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add Port scanners to blacklist" protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add NMAP FIN Stealth scan to list" protocol=tcp \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add SYN/FIN scan to list" protocol=tcp tcp-flags=\
    fin,syn
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add SYN/RST scan to list" protocol=tcp tcp-flags=\
    syn,rst
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add FIN/PSH/URG scan to list" protocol=tcp \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add ALL/ALL scan to list" protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add NMAP NULL scan to list" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=AccessRouter1 \
    address-list-timeout=10s chain=input comment="Port Knock for Router Access" \
    dst-port=10000 protocol=tcp
add action=add-src-to-address-list address-list=AccessRouter2 \
    address-list-timeout=10s chain=input dst-port=20000 protocol=udp \
    src-address-list=AccessRouter1
add action=add-src-to-address-list address-list=AccessRouter3 \
    address-list-timeout=1h chain=input dst-port=30000 protocol=udp \
    src-address-list=AccessRouter2
add action=add-src-to-address-list address-list=AccessRouter4 \
    address-list-timeout=1h chain=input dst-port=40000 protocol=tcp \
    src-address-list=AccessRouter3
add action=accept chain=input comment="Allow in Winbox" dst-port=8291 \
    in-interface=SFP1-combo1 protocol=tcp src-address-list=AccessRouter4
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
    3,32 protocol=tcp src-address-list=DOSattacker
add action=add-src-to-address-list address-list=DOSattacker \
    address-list-timeout=1d chain=input comment="Detect DoS attack" \
    connection-limit=20,32 in-interface=SFP1-combo1 log=yes protocol=tcp
add action=accept chain=input comment=\
    "suppress ping flood-0:0 and limit for 5pac/s" icmp-options=0:0-255 \
    in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
    "suppress ping flood-3:3 and limit for 5pac/s" icmp-options=3:3 \
    in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
    "suppress ping flood-3:4 and limit for 5pac/s" icmp-options=3:4 \
    in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
    "suppress ping flood-8:0 and limit for 5pac/s" icmp-options=8:0-255 \
    in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
    "suppress ping flood-11:0 and limit for 5pac/s" icmp-options=11:0-255 \
    in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=drop chain=input comment=DNSDROP dst-port=53 protocol=udp
add action=drop chain=input comment=DNSDROP log=yes protocol=udp src-port=53
add action=drop chain=forward comment=DNSDROP protocol=udp src-port=53
add action=drop chain=input comment=DNSDROP dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop anything else" log=yes protocol=udp \
    src-port=389
add action=drop chain=forward comment="Drop anything else" protocol=udp \
    src-port=389
add action=drop chain=output comment="Drop anything else" protocol=udp \
    src-port=389
add action=drop chain=forward comment="Drop anything else" dst-port=389 log=yes \
    protocol=udp
add action=drop chain=output comment="Drop anything else" dst-port=389 log=yes \
    protocol=udp
add action=drop chain=input dst-port=10188 protocol=udp
add action=drop chain=input protocol=udp src-port=10188
add action=drop chain=forward protocol=udp src-port=10188
add action=drop chain=forward dst-port=10188 protocol=udp
add action=drop chain=forward dst-port=123 protocol=udp
add action=drop chain=forward protocol=udp src-port=123
add action=drop chain=input protocol=udp src-port=123
add action=drop chain=input dst-port=123 protocol=udp
You do not have the required permissions to view the files attached to this post.
Last edited by Luri on Mon Sep 30, 2019 1:21 pm, edited 1 time in total.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1321
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Router under Ddos atac on port 53 and 389.

Tue Sep 24, 2019 2:03 pm

Can you try to drop input from that source mac address using your firewall???
 
mkx
Forum Guru
Forum Guru
Posts: 3575
Joined: Thu Mar 03, 2016 10:23 pm

Re: Router under Ddos atac on port 53 and 389.

Tue Sep 24, 2019 2:34 pm

Source MAC address is likely peer router (the other side of WAN interface).

The sad fact is that it's almost impossible to deal with DDoS attack other than (temporarily) drop all connections contributing to DDoS. In your case it's hard to do it as those packets seemingly originate from DNS servers and if you block all packets with src port equal to 53, your clients won't be able to resolve anything. So you'd have to whitelist a few known-to-be-good DNS servers and block the rest. And deal with DNS requests in your network (by redirecting requests to DNS servers to either your own DNS server or to one of selected public servers).
BR,
Metod
 
R1CH
Forum Veteran
Forum Veteran
Posts: 912
Joined: Sun Oct 01, 2006 11:44 pm

Re: Router under Ddos atac on port 53 and 389.

Wed Sep 25, 2019 3:39 pm

If you're experiencing high CPU load then you should remove unnecessary firewall rules (all those port scan detection rules for example are useless if you just drop by default). If you're experiencing bandwidth exhaustion then the attack can only be filtered by your upstream.
 
Luri
just joined
Topic Author
Posts: 4
Joined: Tue Jun 07, 2016 8:20 pm

Re: Router under Ddos atac on port 53 and 389.

Mon Sep 30, 2019 11:45 am

Thanx for your advice!
Ive white listed well known DNS servers. Ive changed Public IP ,but still the same. The conclusion is tha somebody is trying to harm the network from inside.
All the same happens after 2-5 hours after chnging ips.
I'll try to deal with my service provider.
Best for all of you.
 
erlinden
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Jun 12, 2013 1:59 pm

Re: Router under Ddos atac on port 53 and 389.

Mon Sep 30, 2019 11:49 am

Do you really need your DNS server to be publically available? And the same question for LDAP?
 
Luri
just joined
Topic Author
Posts: 4
Joined: Tue Jun 07, 2016 8:20 pm

Re: Router under Ddos atac on port 53 and 389.

Mon Sep 30, 2019 12:37 pm

As you can see on filter export DNS and LDAP ports are being blocked. Ore im doing something wrong with configuration. Im allowing only access to public well known DNS servers like google,opendns and 1.1.1.1. Ive tryed to redirect dns request from network to local dns server but the same happens.
I think someone maybe a client on network just do the session and the attack starts it's work.
Exhausting bandwidth and cpu.
If needed i can provide more information.
I dont know if someone has been in the same situation.
Thanx in advance.
 
Luri
just joined
Topic Author
Posts: 4
Joined: Tue Jun 07, 2016 8:20 pm

Re: Router under Ddos atac on port 53 and 389.

Mon Sep 30, 2019 1:04 pm

Do you really need your DNS server to be publically available? And the same question for LDAP?

add action=accept chain=forward src-address=208.67.222.222
add action=accept chain=input src-address=208.67.222.222
add action=accept chain=forward src-address=1.1.1.1
add action=accept chain=input src-address=1.1.1.1
add action=accept chain=input src-address=8.8.8.8
add action=accept chain=forward src-address=8.8.8.8
add action=accept chain=forward src-address=8.8.4.4
add action=accept chain=input src-address=8.8.4.4
add action=drop chain=input disabled=yes in-interface=SFP1-combo1 log=yes protocol=udp
add action=drop chain=forward disabled=yes in-interface=SFP1-combo1 log=yes protocol=udp
add action=drop chain=input comment=DNSDROP log=yes protocol=udp src-port=53
add action=drop chain=forward comment=DNSDROP log=yes protocol=udp src-port=53
add action=drop chain=input comment=DNSDROP dst-port=53 protocol=udp
add action=drop chain=input comment=DNSDROP dst-port=53 protocol=tcp
add action=drop chain=input comment=LDAP log=yes protocol=udp src-port=389
add action=drop chain=forward comment=LDAP log=yes protocol=udp src-port=389
add action=drop chain=output comment=LDAP protocol=udp src-port=389
add action=drop chain=forward comment=LDAP dst-port=389 log=yes protocol=udp
add action=drop chain=output comment=LDAP dst-port=389 log=yes protocol=udp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Detect Port Scanners" dst-port=\
    21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=SFP1-combo1 protocol=tcp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Detect UDP WAN DNS Lookups to prevent DDoS" dst-port=53 \
    in-interface=SFP1-combo1 protocol=udp
add action=drop chain=input comment="Drop Blacklisted Hosts to Router" in-interface=SFP1-combo1 src-address-list=BlackList
add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" in-interface=SFP1-combo1 src-address-list=BlackList
add action=drop chain=input comment="Drop port scanners" src-address-list=PortScanners
add action=accept chain=input comment="suppress ping flood-0:0 and limit for 5pac/s" icmp-options=0:0-255 in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment="suppress ping flood-3:3 and limit for 5pac/s" icmp-options=3:3 in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment="suppress ping flood-3:4 and limit for 5pac/s" icmp-options=3:4 in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment="suppress ping flood-8:0 and limit for 5pac/s" icmp-options=8:0-255 in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment="suppress ping flood-11:0 and limit for 5pac/s" icmp-options=11:0-255 in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=drop chain=input dst-port=10188 protocol=udp
add action=drop chain=input protocol=udp src-port=10188
add action=drop chain=forward protocol=udp src-port=10188
add action=drop chain=forward dst-port=10188 protocol=udp
add action=drop chain=forward dst-port=123 protocol=udp
add action=drop chain=forward protocol=udp src-port=123
add action=drop chain=input protocol=udp src-port=123
add action=drop chain=input dst-port=123 protocol=udp
add action=drop chain=input comment="Drop anything else"
Last edited by krisjanisj on Mon Sep 30, 2019 1:08 pm, edited 2 times in total.
Reason: Please post configs/code in [code] blocks to save peoples scroll wheels
 
User avatar
laxmimikrotik
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Apr 25, 2017 1:44 pm

Re: Router under Ddos atac on port 53 and 389.

Wed Oct 02, 2019 9:58 pm

How did you solve this problem ??
This same problem has happened with mine ...Is it solved ??
Thanks.
-------------------------------
Every problem Has Solution .
ip-noc Team.
MTCNA ,MTCRE,

Who is online

Users browsing this forum: aeiouy, Google [Bot], jose21 and 105 guests