Community discussions

MikroTik App
 
texmeshtexas
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Sat Oct 11, 2008 11:17 pm

Botnet and bad actor filters

Fri Apr 16, 2021 6:16 pm

Just thought I would share this with the Mikrotik community.

I've always been a proponent of keeping garbage traffic off our network in an effort to conserve our very expensive infrastructure resources. Besides doing the usual things like blocking Bogon IP traffic and block certain TCP/UDP ports, we recently implemented traffic filtering with the help of an outside list source.

About 2.5 months ago we implemented some filtering at our edge to help protect our network and customers from the never ending attempt by cyber criminals to attack the innocent. And to keep those already infected with malware from communicating out to Botnet CC and bad actors in general.

We took the Spamhouse BGP feeds (www.spamhaus.org/bgpf) and blocked all traffic to/from all 3 lists. Absolutely no customer complaints so we feel the lists are pretty clean.

Results so far(2.5 months) for our 3300+ sub network:
294K blocks outbound
84M blocks inbound
That comes down to about 47K blocks of bad traffic an hour.
Would be glad to share our implementation details with any other non-competing WISP. We use Mikrotik edge routers so our scripts will be a specific to RouterOS. Will also share the contact of our rep from SecurityZones.net who we work with to get the Spamhaus BGP setup going.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Botnet and bad actor filters

Fri Apr 16, 2021 7:21 pm

Can you also filter bad actors from Netflix?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Botnet and bad actor filters

Fri Apr 16, 2021 10:21 pm

Can you also filter bad actors from Netflix?
Awesome!!!
 
PortalNET
Member Candidate
Member Candidate
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Re: Botnet and bad actor filters

Wed May 19, 2021 3:15 am

Just thought I would share this with the Mikrotik community.

I've always been a proponent of keeping garbage traffic off our network in an effort to conserve our very expensive infrastructure resources. Besides doing the usual things like blocking Bogon IP traffic and block certain TCP/UDP ports, we recently implemented traffic filtering with the help of an outside list source.

About 2.5 months ago we implemented some filtering at our edge to help protect our network and customers from the never ending attempt by cyber criminals to attack the innocent. And to keep those already infected with malware from communicating out to Botnet CC and bad actors in general.

We took the Spamhouse BGP feeds (www.spamhaus.org/bgpf) and blocked all traffic to/from all 3 lists. Absolutely no customer complaints so we feel the lists are pretty clean.

Results so far(2.5 months) for our 3300+ sub network:
294K blocks outbound
84M blocks inbound
That comes down to about 47K blocks of bad traffic an hour.
Would be glad to share our implementation details with any other non-competing WISP. We use Mikrotik edge routers so our scripts will be a specific to RouterOS. Will also share the contact of our rep from SecurityZones.net who we work with to get the Spamhaus BGP setup going.

Hi

Quick question do you have your own ASN ? how do you filter it and block the attacks from botnet? is it done directly on the BGP? because the ASN public ips assigned to your clients should not have ports blocks at all done on the BGP box right? could you please comment how its done? does it simply drop all ips from that BGP list?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Botnet and bad actor filters

Wed May 19, 2021 3:41 am

Who is the idio-t than pay
Pricing
Based on network size, starting from $2,500 per annum.
https://www.spamhaus.com/product/border ... -protocol/
For one rule on "/firewall raw" (drop all prerouting when source is on combined drop-edrop-c&c list)
https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt

And one rule on ipv6 firewall
https://www.spamhaus.org/drop/dropv6.txt

or some drop filter on BGP?
https://www.spamhaus.org/drop/asndrop.txt
 
PortalNET
Member Candidate
Member Candidate
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Re: Botnet and bad actor filters

Mon May 31, 2021 2:46 am

Who is the idio-t than pay
Pricing
Based on network size, starting from $2,500 per annum.
https://www.spamhaus.com/product/border ... -protocol/

For one rule on "/firewall raw" (drop all prerouting when source is on combined drop-edrop-c&c list)
https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt

And one rule on ipv6 firewall
https://www.spamhaus.org/drop/dropv6.txt

or some drop filter on BGP?
https://www.spamhaus.org/drop/asndrop.txt

Hi @rextended

is there a firewall rule to block port-scanners via /ip firewall/raw ?

i want o block port scanning on our ASN ipv4 /22 ip block, on our thread monitor system we see hundreds of thousands of port scanners activity every day.. and they come from different source ips and ports, to our destination ipv4 /22 and different ports..

my question is is there a way of doing this port scanning block activity via Firewall/raw?

i have tried via firewall filters with drop actions.. but we have in NAT a firewall rule to accept all incomming traffic without blocking ports on the ASN IPV4/22 block.. and therefore firewall NAT filters do not work..

but instead we have tested that via RAW we can block some suspicious ports for all ASN ipv4 and internal Nat private ips..

as shown on pic below.. tryign to scan our ips from outside..https://pasteboard.co/K4mhc8b.png
Last edited by PortalNET on Mon May 31, 2021 2:56 am, edited 1 time in total.
 
PortalNET
Member Candidate
Member Candidate
Posts: 126
Joined: Sun Apr 02, 2017 7:24 pm

Re: Botnet and bad actor filters

Mon May 31, 2021 2:55 am

 
sikkanet
just joined
Posts: 2
Joined: Fri Sep 02, 2011 12:34 am

Re: Botnet and bad actor filters

Wed Nov 17, 2021 9:14 am

Just thought I would share this with the Mikrotik community.

I've always been a proponent of keeping garbage traffic off our network in an effort to conserve our very expensive infrastructure resources. Besides doing the usual things like blocking Bogon IP traffic and block certain TCP/UDP ports, we recently implemented traffic filtering with the help of an outside list source.

About 2.5 months ago we implemented some filtering at our edge to help protect our network and customers from the never ending attempt by cyber criminals to attack the innocent. And to keep those already infected with malware from communicating out to Botnet CC and bad actors in general.

We took the Spamhouse BGP feeds (www.spamhaus.org/bgpf) and blocked all traffic to/from all 3 lists. Absolutely no customer complaints so we feel the lists are pretty clean.

Results so far(2.5 months) for our 3300+ sub network:
294K blocks outbound
84M blocks inbound
That comes down to about 47K blocks of bad traffic an hour.
Would be glad to share our implementation details with any other non-competing WISP. We use Mikrotik edge routers so our scripts will be a specific to RouterOS. Will also share the contact of our rep from SecurityZones.net who we work with to get the Spamhaus BGP setup going.
Hi @texmeshtexas, would you mind sharing further details over DM or email?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Botnet and bad actor filters

Wed Nov 17, 2021 9:41 am

is there a firewall rule to block port-scanners via /ip firewall/raw ?
Here is what I do:
viewtopic.php?f=23&t=178496

In short. Anyone who tries any port on my routers that are not open, will be blocked for 24 hours to all ports, even 443 etc.
This gives me an access list with around 5K to 10K IP adresses blocked at all time.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Botnet and bad actor filters

Wed Nov 17, 2021 5:14 pm

Basically all useless. :-P
Drop all else for both input and forward chains. Mostly done!
One could consider is to route non-public subnets, not on ones router, to blackhole.

The idea of blacklists, I suppose is to stop your unsuspecting users that are allowed to access the internet, to hit bad private IPs..........
Will black lists even block https to bad sites???

If the answer is yes, or maybe if not, then use this cheap but effective service, and get on with life and stop worrying about stuff you cannot control.
https://itexpertoncall.com/promotional/moab.html
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Botnet and bad actor filters

Thu Nov 18, 2021 2:25 am

If the answer is yes, or maybe if not, then use this cheap but effective service, and get on with life and stop worrying about stuff you cannot control.
https://itexpertoncall.com/promotional/moab.html
@anav
MOAB principally captures IP addresses that ARE related to on-line attacks, on-line service abuse, malwares, botnets, command and control servers and other cybercrime activities; currently numbering 639 Million IP address … and is extremely effective AND efficient in preventing malicious external attacks …. The biggest problem is that many do not know or understand how to properly configure their firewall …. MOAB does not protect from internal actions caused by poor security discipline’s.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Botnet and bad actor filters

Thu Nov 18, 2021 4:37 pm

Hi Mozerd,
My question should be posed differently then.

Since most firewalls 99% in MT, block wan to lan and wan to router traffic, what is the point of all the lists??
The only threats I see are.
a. lan users visiting bad sites, be they torrenting etc....... ( so perhaps the lists have validity to ensure the users are blocked from visiting known bad sites)
b. lan users downloading a bot or some malware ( despite the lists above attempting to block users from visiting bad sites) NOW WHAT ???
c. How do we setup the router to detect/warn etc. that a PC has been compromised ?? ( assuming that the PCs anti-virus software has been thwarted)
i. well the lists may have some utility in that the malware is attempping to reach bad sites (so list may have some utility again).
ii. type/character of bad outgoing traffic may be detectable and thus blocked??
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Botnet and bad actor filters

Thu Nov 18, 2021 6:18 pm

Since most firewalls 99% in MT, block wan to lan and wan to router traffic, what is the point of all the lists??
Probes are not blocked and probes are the main threat as they try and get a response from anyone of 65K ports. Blacklists prevent probes from known sources. Prevent the probes and that solves 99% of the issues. the other 1% is internal disciplines.

MOAB is a threat-centered approach whose effectiveness depends on how well and how often the blacklist and its associated responses are refreshed and updated -- in MOAB's case that takes place 3 times each day 7x24/365 – which in turn all depend in turn on the volume of threats a system has to deal with. Its estimated that 2 million new pieces of malware are emerging each month, keeping a blacklist updated now calls upon the gathering of threat intelligence from millions of devices and endpoints, using cloud-based services like FireHol ... MOAB's principle source.

The principal advantages of blacklisting lies in the simplicity of its principle: You identify everything bad that you don’t want getting into or operating on your system, exclude it from access, then allow the free flow of everything else. It has been and continues to be the basis on which signature-based anti-virus and anti-malware software operates. From a Firewall perspective MOAB block probes from over 639 million sources .... if a USER tries to connect to anyone of those 639 million sources MOAB will prevent that from happening.

For users, it’s traditionally been a low-maintenance option, as responsibility for compiling and updating a blacklist of applications or entities falls to the MOAB itself and its related databases, or to some form of third-party threat intelligence/service provider like FireHol

so for your b. lan users downloading a bot or some malware ( despite the lists above attempting to block users from visiting bad sites) NOW WHAT ?
If that bot comes from an UNKNOWN source THEN you are screwed ....BUT if one follows good security practices that will not happen .... most bots come from enticements originating in emails and/or hacked websites ... many non-malicious bots are done by governments and legit entities who want to CONTROL your habits. ... and again if proper security practices are followed those event will not happen.

so for your c. How do we setup the router to detect/warn etc. that a PC has been compromised ??
The logging system should provide info ...
Known sources will be blocked .... unknown sources will not .... but everything depends on solid security practices via education .... 99% of users will avoid effective security practices because those practices are too restrictive to their freedom of access.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Botnet and bad actor filters

Thu Nov 18, 2021 7:14 pm

In summary,
if one has no ports open on the router, then does that solve the probe threat??
If one has only VPN ports open (random selection of port for wireguard for example), is that a risk??

I am trying to ascertain the level of threat/risk of the probes??
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Botnet and bad actor filters

Thu Nov 18, 2021 7:20 pm

Do not see the problem only on user level.

The ISP can not apply the rule "drop all" at the end of forward chain....

The ISP can not block all port directed to user, because you drop near all services.
(on the edge router NAT or connection tracking are not active, and every user have it's own public IP)

And if user is allowed for law to use OWN router... you know the rest of this story...
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Botnet and bad actor filters

Thu Nov 18, 2021 7:30 pm

if one has no ports open on the router, then does that solve the probe threat??
If one has only VPN ports open (random selection of port for wireguard for example), is that a risk??
The whole idea is to prevent probes …. If no port will respond the probe will fail … what most fail to recognize is that there are hundreds of thousands of probes [if not millions] taking place daily …. Routers will deal with probes and that uses bandwidth … preventing probes saves on bandwidth

Some ISP’s have mechanisms to prevent probes …. To save on the BW issue … but few do that.

But that does not solve the outgoing calls to to anyone of 639 million badies …. MOAB prevents both.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Botnet and bad actor filters

Thu Nov 18, 2021 7:38 pm

I use honeypot, for discovery new "scanners", and lists for prevent probes from lists sources,
and I forbid from internal user BOTH to spoof it's own real address (the accound is blocked undefinitely until I manually resume)
and to contact remote IPs on lists (the accound is locked for 1 day, if not other actions are taken, and I receive notice for this and I direct call the user).

On probe I never reply "forbidden", tarpit or other, simply I blackhole all traffic incoming from uplink on my edge routers,
and I blackhole, after logging and disable user, all outbound traffic.

This do not waste my internal bandwidth.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Botnet and bad actor filters

Thu Nov 18, 2021 11:15 pm

I am making no progress here.

So, even if I dont have any ports open, my router is still using cycles to answer port probes??
Is it better to drop all such probes in raw, or ignore the probes.

chain=raw action=drop dst-ports=1-65000 in-interface-list=WAN

honeypot seem complicated..... I am just getting used to the idea of blackhole ip routes to stop spoofing of private IPs on the LAN.

I dont have an edge router are you saying I should get another CCR1009 or RB5009 as solely an edge router??

Sounds like MOAB is still useful to stop traffic outbound to bad actors ??
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Botnet and bad actor filters

Thu Nov 18, 2021 11:28 pm

Seeing @anav promoting an useless blacklist and then trying to justify it, is hilarious.
Please, continue.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Botnet and bad actor filters

Thu Nov 18, 2021 11:49 pm

Seeing @anav promoting an useless blacklist and then trying to justify it, is hilarious.
Please, continue.
I have no steak or stake in any blacklists. I am trying to ascertain the
impractical from the practical and apply necessary rules in a minimalistic approach.


Thus far I am hearing.
Probes are bad and even if you dont have any open ports they suck up CPU cycles.
a. what is the best method to deal with this.
- scanners
-honeypots
-use of raw only as I suggested?
-etc........... what is actually better than
i. plain block all on input chain/forward chain, and why.


Outgoing traffic from LANs that is attempting to spoof other private IPs, not on your LAN is bad.
a. use blackhole and IP routes for this subset of bad actors/outgoing traffic.

Outgoing traffic going to bad actors/IP sites.
a. use of blacklists may be helpful ?
b. anything else.........?

Anyway to capture/Identify bad outgoing traffic (patterns/types etc..........)?
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Botnet and bad actor filters

Fri Nov 19, 2021 4:46 pm

Anyway to capture/Identify bad outgoing traffic (patterns/types etc..........)?
@anav ... you are looking for Tech security NIRVANA and TiK cannot do that for YOU .... You can achieve Tech security NIRVAN by using Untangle and for your use case its US $50 per year license plus appliance $399 plus the learning curve. The z4plus is the one I suggest for U

Otherwise MOAB fits the Bill very nicely using Tiks ... :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Botnet and bad actor filters

Fri Nov 26, 2021 10:33 pm

Znevna uses mind control on his users and they magically dont send traffic to bad sites and thats why he doesnt need blackholes, honeypots, probe blockers or wait for it.................. updated BLACKLISTS......... I just wish he would get on with patenting his mind control............

Who is online

Users browsing this forum: hjf and 60 guests