Hola a todos,
Me gustaría si me pueden orientar sobre este tema que traigo, he visto en mis log del firewall multiples intentos de conexion desde la WAN a un aIP que tenia permitida desde el firewall, el comportamiento es el siguiente: desde una IP publica intentan conectarse a una de mis IP privadas y veo que tratan una y otra vez, obviamente el puerto les cambia a la IP Wan del "atacante" y veo la siguiente información:
1 firewall,info Connect to 172.16.2.9 dstnat: in:WAN1 out:(unknown 0), src-mac LA MASCARA, proto TCP (SYN), IPDELATACANTE:27611->MIIPPUBLICA:PUERTO, len 52
actualmente hice una regla manual para bloquear esta IP que la puse en una lista baneada de manera tal que bloquea este intento de trafico Forward desde la WAN hacia la IP privada con el flag TCP SYN activo, adicionalmente hice otra regla de bloque total a esta lista de IP Baneadas.
he leido sobre atacas de SYNFlood pero yo ya tenia varias reglas para esto que investigue en Mikrotik Wiki....
Mi pregunta es como puedo hacer este proceso automáticamente? es decir que algo revise si una misma IP intenta repetidamente conectarse a alguna IP local y pasarla a una lista de baneo, esto adicional a lo que ya tenia.
Veo en e torch que con las reglas que hice no están llegando a la IP local y no hay conexión establecida, así que supongo que la regla me esta funcionando lo que quiero es automatizar esto, me pueden dar una orientación?
conseguí esto en Internet también pero no se si debo implementarlo, leí que no es lo más prolijo
Finalmente habilitar SYN Coockies
• /ip settings set tcp-syncookies=yes (RouterOS > V6,0)
• /ip firewall connection tracking set tcp-syncookie=yes (RouterOS < v6.0 )
También hice esta prueba pero no es muy diferente de lo que encontré en la wiki de MKT asi que la elimine
/ip firewall filter
add action=jump chain=input comment="Policy 3" jump-target=syn-flood protocol=tcp tcp-flags=syn
add chain=syn-flood limit=100,5
add action=drop chain=syn-flood
Les doy las gracias de antemano
Re: Bloqueo de conexiones persistentes
Reminder: the forum language is English.
Re: Bloqueo de conexiones persistentes
Your are the epitome of lazy Mr Mutluit!!
{translated}
"Hello everyone,
I would like if you can guide me on this topic that I bring, I have seen in my firewall log multiple attempts to connect from the WAN to an aIP that was allowed from the firewall, the behavior is as follows: from a public IP they try to connect to a of my private IPs and I see that they try again and again, obviously the port changes them to the Wan IP of the "attacker" and I see the following information:
1 firewall, info Connect to 172.16.2.9 dstnat: in: WAN1 out: (unknown 0), src-mac LA MASCARA, proto TCP (SYN), IPDELATACANTE: 27611-> MIIPPUBLICA: PUERTO, len 52
Currently I made a manual rule to block this IP that I put in a banned list in such a way that it blocks this attempt of Forward traffic from the WAN towards the private IP with the TCP SYN flag active, additionally I made another total block rule to this list of Banned IP.
I have read about SYNFlood attacks but I already had several rules for this that I investigated on Mikrotik Wiki ....
My question is how can I do this process automatically? that is to say, something check if the same IP repeatedly tries to connect to a local IP and pass it to a ban list, this in addition to what it already had. I see in e torch that with the rules that I made they are not reaching the local IP and there is no established connection, so I suppose that the rule is working for me what I want is to automate this, can you give me an orientation?
I got this on the Internet too but I don't know if I should implement it, I read that it is not the most verbose
Finally enable SYN Coockies
• / ip settings set tcp-syncookies = yes (RouterOS> V6.0)
• / ip firewall connection tracking set tcp-syncookie = yes (RouterOS <v6.0)
I also did this test but it is not much different from what I found on the MKT wiki so I removed it
/ ip firewall filter
add action = jump chain = input comment = "Policy 3" jump-target = syn-flood protocol = tcp tcp-flags = syn
add chain = syn-flood limit = 100.5
add action = drop chain = syn-flood
I thank you in advance"
{translated}
"Hello everyone,
I would like if you can guide me on this topic that I bring, I have seen in my firewall log multiple attempts to connect from the WAN to an aIP that was allowed from the firewall, the behavior is as follows: from a public IP they try to connect to a of my private IPs and I see that they try again and again, obviously the port changes them to the Wan IP of the "attacker" and I see the following information:
1 firewall, info Connect to 172.16.2.9 dstnat: in: WAN1 out: (unknown 0), src-mac LA MASCARA, proto TCP (SYN), IPDELATACANTE: 27611-> MIIPPUBLICA: PUERTO, len 52
Currently I made a manual rule to block this IP that I put in a banned list in such a way that it blocks this attempt of Forward traffic from the WAN towards the private IP with the TCP SYN flag active, additionally I made another total block rule to this list of Banned IP.
I have read about SYNFlood attacks but I already had several rules for this that I investigated on Mikrotik Wiki ....
My question is how can I do this process automatically? that is to say, something check if the same IP repeatedly tries to connect to a local IP and pass it to a ban list, this in addition to what it already had. I see in e torch that with the rules that I made they are not reaching the local IP and there is no established connection, so I suppose that the rule is working for me what I want is to automate this, can you give me an orientation?
I got this on the Internet too but I don't know if I should implement it, I read that it is not the most verbose
Finally enable SYN Coockies
• / ip settings set tcp-syncookies = yes (RouterOS> V6.0)
• / ip firewall connection tracking set tcp-syncookie = yes (RouterOS <v6.0)
I also did this test but it is not much different from what I found on the MKT wiki so I removed it
/ ip firewall filter
add action = jump chain = input comment = "Policy 3" jump-target = syn-flood protocol = tcp tcp-flags = syn
add chain = syn-flood limit = 100.5
add action = drop chain = syn-flood
I thank you in advance"
Re: Bloqueo de conexiones persistentes
Anav:
Rules should be obeyed.
Do you volunteer to translate posts instead of all lazy OP?
Rules should be obeyed.
Do you volunteer to translate posts instead of all lazy OP?