Page 1 of 1

Router under Ddos atac on port 53 and 389.

Posted: Tue Sep 24, 2019 1:22 pm
by Luri
Hello, im havin atac ishue on my router. Im not able to prevent it. Need help please!
add action=drop chain=input disabled=yes in-interface=SFP1-combo1 log=yes \
    protocol=udp
add action=drop chain=forward disabled=yes in-interface=SFP1-combo1 log=yes \
    protocol=udp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Detect Port Scanners" dst-port=\
    21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=\
    SFP1-combo1 protocol=tcp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Detect UDP WAN DNS Lookups to prevent DDoS" \
    dst-port=53 in-interface=SFP1-combo1 protocol=udp
add action=drop chain=input comment="Drop Blacklisted Hosts to Router" \
    in-interface=SFP1-combo1 src-address-list=BlackList
add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" \
    in-interface=SFP1-combo1 src-address-list=BlackList
add action=drop chain=input comment="Drop port scanners" src-address-list=\
    PortScanners
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add Port scanners to blacklist" protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add NMAP FIN Stealth scan to list" protocol=tcp \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add SYN/FIN scan to list" protocol=tcp tcp-flags=\
    fin,syn
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add SYN/RST scan to list" protocol=tcp tcp-flags=\
    syn,rst
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add FIN/PSH/URG scan to list" protocol=tcp \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add ALL/ALL scan to list" protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
    3d chain=input comment="Add NMAP NULL scan to list" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=AccessRouter1 \
    address-list-timeout=10s chain=input comment="Port Knock for Router Access" \
    dst-port=10000 protocol=tcp
add action=add-src-to-address-list address-list=AccessRouter2 \
    address-list-timeout=10s chain=input dst-port=20000 protocol=udp \
    src-address-list=AccessRouter1
add action=add-src-to-address-list address-list=AccessRouter3 \
    address-list-timeout=1h chain=input dst-port=30000 protocol=udp \
    src-address-list=AccessRouter2
add action=add-src-to-address-list address-list=AccessRouter4 \
    address-list-timeout=1h chain=input dst-port=40000 protocol=tcp \
    src-address-list=AccessRouter3
add action=accept chain=input comment="Allow in Winbox" dst-port=8291 \
    in-interface=SFP1-combo1 protocol=tcp src-address-list=AccessRouter4
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
    3,32 protocol=tcp src-address-list=DOSattacker
add action=add-src-to-address-list address-list=DOSattacker \
    address-list-timeout=1d chain=input comment="Detect DoS attack" \
    connection-limit=20,32 in-interface=SFP1-combo1 log=yes protocol=tcp
add action=accept chain=input comment=\
    "suppress ping flood-0:0 and limit for 5pac/s" icmp-options=0:0-255 \
    in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
    "suppress ping flood-3:3 and limit for 5pac/s" icmp-options=3:3 \
    in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
    "suppress ping flood-3:4 and limit for 5pac/s" icmp-options=3:4 \
    in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
    "suppress ping flood-8:0 and limit for 5pac/s" icmp-options=8:0-255 \
    in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
    "suppress ping flood-11:0 and limit for 5pac/s" icmp-options=11:0-255 \
    in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=drop chain=input comment=DNSDROP dst-port=53 protocol=udp
add action=drop chain=input comment=DNSDROP log=yes protocol=udp src-port=53
add action=drop chain=forward comment=DNSDROP protocol=udp src-port=53
add action=drop chain=input comment=DNSDROP dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop anything else" log=yes protocol=udp \
    src-port=389
add action=drop chain=forward comment="Drop anything else" protocol=udp \
    src-port=389
add action=drop chain=output comment="Drop anything else" protocol=udp \
    src-port=389
add action=drop chain=forward comment="Drop anything else" dst-port=389 log=yes \
    protocol=udp
add action=drop chain=output comment="Drop anything else" dst-port=389 log=yes \
    protocol=udp
add action=drop chain=input dst-port=10188 protocol=udp
add action=drop chain=input protocol=udp src-port=10188
add action=drop chain=forward protocol=udp src-port=10188
add action=drop chain=forward dst-port=10188 protocol=udp
add action=drop chain=forward dst-port=123 protocol=udp
add action=drop chain=forward protocol=udp src-port=123
add action=drop chain=input protocol=udp src-port=123
add action=drop chain=input dst-port=123 protocol=udp

Re: Router under Ddos atac on port 53 and 389.

Posted: Tue Sep 24, 2019 2:03 pm
by Zacharias
Can you try to drop input from that source mac address using your firewall???

Re: Router under Ddos atac on port 53 and 389.

Posted: Tue Sep 24, 2019 2:34 pm
by mkx
Source MAC address is likely peer router (the other side of WAN interface).

The sad fact is that it's almost impossible to deal with DDoS attack other than (temporarily) drop all connections contributing to DDoS. In your case it's hard to do it as those packets seemingly originate from DNS servers and if you block all packets with src port equal to 53, your clients won't be able to resolve anything. So you'd have to whitelist a few known-to-be-good DNS servers and block the rest. And deal with DNS requests in your network (by redirecting requests to DNS servers to either your own DNS server or to one of selected public servers).

Re: Router under Ddos atac on port 53 and 389.

Posted: Wed Sep 25, 2019 3:39 pm
by R1CH
If you're experiencing high CPU load then you should remove unnecessary firewall rules (all those port scan detection rules for example are useless if you just drop by default). If you're experiencing bandwidth exhaustion then the attack can only be filtered by your upstream.

Re: Router under Ddos atac on port 53 and 389.

Posted: Mon Sep 30, 2019 11:45 am
by Luri
Thanx for your advice!
Ive white listed well known DNS servers. Ive changed Public IP ,but still the same. The conclusion is tha somebody is trying to harm the network from inside.
All the same happens after 2-5 hours after chnging ips.
I'll try to deal with my service provider.
Best for all of you.

Re: Router under Ddos atac on port 53 and 389.

Posted: Mon Sep 30, 2019 11:49 am
by erlinden
Do you really need your DNS server to be publically available? And the same question for LDAP?

Re: Router under Ddos atac on port 53 and 389.

Posted: Mon Sep 30, 2019 12:37 pm
by Luri
As you can see on filter export DNS and LDAP ports are being blocked. Ore im doing something wrong with configuration. Im allowing only access to public well known DNS servers like google,opendns and 1.1.1.1. Ive tryed to redirect dns request from network to local dns server but the same happens.
I think someone maybe a client on network just do the session and the attack starts it's work.
Exhausting bandwidth and cpu.
If needed i can provide more information.
I dont know if someone has been in the same situation.
Thanx in advance.

Re: Router under Ddos atac on port 53 and 389.

Posted: Mon Sep 30, 2019 1:04 pm
by Luri
Do you really need your DNS server to be publically available? And the same question for LDAP?

add action=accept chain=forward src-address=208.67.222.222
add action=accept chain=input src-address=208.67.222.222
add action=accept chain=forward src-address=1.1.1.1
add action=accept chain=input src-address=1.1.1.1
add action=accept chain=input src-address=8.8.8.8
add action=accept chain=forward src-address=8.8.8.8
add action=accept chain=forward src-address=8.8.4.4
add action=accept chain=input src-address=8.8.4.4
add action=drop chain=input disabled=yes in-interface=SFP1-combo1 log=yes protocol=udp
add action=drop chain=forward disabled=yes in-interface=SFP1-combo1 log=yes protocol=udp
add action=drop chain=input comment=DNSDROP log=yes protocol=udp src-port=53
add action=drop chain=forward comment=DNSDROP log=yes protocol=udp src-port=53
add action=drop chain=input comment=DNSDROP dst-port=53 protocol=udp
add action=drop chain=input comment=DNSDROP dst-port=53 protocol=tcp
add action=drop chain=input comment=LDAP log=yes protocol=udp src-port=389
add action=drop chain=forward comment=LDAP log=yes protocol=udp src-port=389
add action=drop chain=output comment=LDAP protocol=udp src-port=389
add action=drop chain=forward comment=LDAP dst-port=389 log=yes protocol=udp
add action=drop chain=output comment=LDAP dst-port=389 log=yes protocol=udp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Detect Port Scanners" dst-port=\
    21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=SFP1-combo1 protocol=tcp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Detect UDP WAN DNS Lookups to prevent DDoS" dst-port=53 \
    in-interface=SFP1-combo1 protocol=udp
add action=drop chain=input comment="Drop Blacklisted Hosts to Router" in-interface=SFP1-combo1 src-address-list=BlackList
add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" in-interface=SFP1-combo1 src-address-list=BlackList
add action=drop chain=input comment="Drop port scanners" src-address-list=PortScanners
add action=accept chain=input comment="suppress ping flood-0:0 and limit for 5pac/s" icmp-options=0:0-255 in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment="suppress ping flood-3:3 and limit for 5pac/s" icmp-options=3:3 in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment="suppress ping flood-3:4 and limit for 5pac/s" icmp-options=3:4 in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment="suppress ping flood-8:0 and limit for 5pac/s" icmp-options=8:0-255 in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment="suppress ping flood-11:0 and limit for 5pac/s" icmp-options=11:0-255 in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=drop chain=input dst-port=10188 protocol=udp
add action=drop chain=input protocol=udp src-port=10188
add action=drop chain=forward protocol=udp src-port=10188
add action=drop chain=forward dst-port=10188 protocol=udp
add action=drop chain=forward dst-port=123 protocol=udp
add action=drop chain=forward protocol=udp src-port=123
add action=drop chain=input protocol=udp src-port=123
add action=drop chain=input dst-port=123 protocol=udp
add action=drop chain=input comment="Drop anything else"

Re: Router under Ddos atac on port 53 and 389.

Posted: Wed Oct 02, 2019 9:58 pm
by laxmimikrotik
How did you solve this problem ??
This same problem has happened with mine ...Is it solved ??