Community discussions

MikroTik App
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

mikrotik used as a spoof ddns

Sun Jun 13, 2021 2:48 pm

We got an email that:

"You appear to be running an open recursive resolver at IP address x.x.x.157 that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size."

How to prevent this?
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: mikrotik used as a spoof ddns

Sun Jun 13, 2021 3:06 pm

Don't open port 53 to the whole internet?
Or just use a proper firewall?
And fire the guy that handles router security. Since he didn't do his job.
Or, send him to training.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: mikrotik used as a spoof ddns

Sun Jun 13, 2021 3:36 pm

Without seeing the config, hard to say.

/export hide-sensitive file=anynameyouwish
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: mikrotik used as a spoof ddns

Sun Jun 13, 2021 4:06 pm

If you log your DNS request, you would also see who i requesting DNS from your Router.
dns MikroTik: query from 192.168.10.21: #430899 clientservices.googleapis.com. A
dns MikroTik: query from 192.168.10.217: #430896 growth-pa.googleapis.com. A
dns MikroTik: query from 192.168.10.217: #430895 connectivitycheck.gstatic.com. A
dns MikroTik: query from 192.168.10.217: #430892 www.google.com. A
dns MikroTik: query from 192.168.10.178: #430878 piston-meta.mojang.com. A
 
johnson73
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Feb 05, 2020 10:07 am

Re: mikrotik used as a spoof ddns

Sun Jun 13, 2021 5:01 pm

Such cases are quite common when an internet provider sends emails stating that your IP is open to a dns resolver.
Without seeing you firewall configuration, let's say you use the default config. Close access to dns 53 port from the outside. It is best to use Raw chain so as not to overload the cpu.
LAN=local lan, WAN=internet ISP
/ip firewall raw
add action=add-src-to-address-list address-list="DNS flood" address-list-timeout=4w2d chain=prerouting comment=\
    DNS dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=udp src-address-list="DNS flood"
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=tcp src-address-list="DNS flood"
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: mikrotik used as a spoof ddns

Sun Jun 13, 2021 9:16 pm

Such cases are quite common when an internet provider sends emails stating that your IP is open to a dns resolver.
Without seeing you firewall configuration, let's say you use the default config. Close access to dns 53 port from the outside. It is best to use Raw chain so as not to overload the cpu.
LAN=local lan, WAN=internet ISP
/ip firewall raw
add action=add-src-to-address-list address-list="DNS flood" address-list-timeout=4w2d chain=prerouting comment=\
    DNS dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=udp src-address-list="DNS flood"
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=tcp src-address-list="DNS flood"
Thanks, but isnt this enough?
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=tcp reject-with=icmp-network-unreachable src-address-list=!DNS
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=udp reject-with=icmp-network-unreachable src-address-list=!DNS
where DNS address list is 1.1.1.1 and 8.8.8.8


this is filters
/ip firewall filter

add action=accept chain=forward comment="Allow Est, Rel" connection-state=established,related

add action=accept chain=input comment="Allow Est, Rel" connection-state=established,related

add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp src-address-list=HQ2_IPs

add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp src-address-list=HQ1_IPs

add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp src-address-list=HQ1_IPs

add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp src-address-list=HQ2_IPs

add action=accept chain=input comment="Allow ICMP" protocol=icmp src-address-list=HQ2_IPs

add action=accept chain=input comment="Allow ICMP" protocol=icmp src-address-list=HQ1_IPs

add action=drop chain=forward comment="Drop Inv." connection-state=invalid

add action=drop chain=input comment="Drop Inv." connection-state=invalid

add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=tcp reject-with=icmp-network-unreachable src-address-list=!DNS
add action=reject chain=input comment="Drop !DNS" dst-port=53 protocol=udp reject-with=icmp-network-unreachable src-address-list=!DNS

add action=accept chain=output comment="OUT- PMTUD" icmp-options=3:4 protocol=icmp

add action=accept chain=input comment="IN- PMTUD" icmp-options=3:4 protocol=icmp

add action=accept chain=input comment="IN-Allow ping 1468b do 5 u sekundi" limit=5,1:packet packet-size=1468 protocol=icmp

add action=add-src-to-address-list address-list=pingers address-list-timeout=1d chain=input comment="IN-list ICMP which dont match criteria" in-interface-list=WAN log-prefix=Ping@IN protocol=icmp src-address-list=""

add action=add-src-to-address-list address-list=@Services_Phase1 address-list-timeout=30m chain=input comment=IN-Services_Phase1 dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=tcp

add action=add-src-to-address-list address-list=@Services_Phase1 address-list-timeout=30m chain=input comment=IN-Services_Phase1-UDP dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=udp

add action=add-src-to-address-list address-list=@Services_Phase2 address-list-timeout=30m chain=input comment=IN-Services_Phase2 dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=tcp src-address-list=@Services_Phase1

add action=add-src-to-address-list address-list=@Services_Phase2 address-list-timeout=30m chain=input comment=IN-Services_Phase2-UDP dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=udp src-address-list=@Services_Phase1

add action=add-src-to-address-list address-list=@Services_Phase3 address-list-timeout=1w chain=input comment=IN-Services_Phase3 dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=tcp src-address-list=@Services_Phase2

add action=add-src-to-address-list address-list=@Services_Phase3 address-list-timeout=1w chain=input comment=IN-Services_Phase3-UDP dst-port=21,22,23,69,80,443,5060,8080 in-interface-list=WAN protocol=udp src-address-list=@Services_Phase2

add action=drop chain=input comment=IN-Faza3_dropRAW disabled=yes src-address-list=@Services_Phase3

add action=drop chain=input comment="IN-Blokiraj Shodan" src-address-list=shodan

add action=drop chain=input comment="IN-Brani se od pingera" src-address-list=pingers
add action=drop chain=input disabled=yes packet-size=200-65535 protocol=icmp
add action=drop chain=forward disabled=yes packet-size=200-65535 protocol=icmp
add action=jump chain=forward comment="SYN Flood protect FORWARD" connection-state=new disabled=yes jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect INPUT" connection-state=new disabled=yes jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=syn-attack connection-state=new disabled=yes limit=400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new disabled=yes protocol=tcp tcp-flags=syn

 

Who is online

Users browsing this forum: akakua, Bing [Bot], cyrq, Energizer, rogerioqueiroz, Semrush [Bot], sybadi, synchro, tdw, tjanas94 and 88 guests