Community discussions

MikroTik App
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Help MT constantly sending request to Google

Sat Jul 10, 2021 4:25 pm

Hello community:

I am having this issue on my router, would this be some kind of flooding? How can I solve this issue, I would appreciate any help please.



mikrotik-flood.jpg
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 4:31 pm

Why do you consider up to 10 DNS queries per minute a "flood"? Unless this happens even when nothing is connected to the LAN of that router, that's a pretty normal traffic.

So what makes you believe it is unusual?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 4:42 pm

You obfuscated the screenshot a tad too much. But src-mac printed starts with F0:9F:C and if it continues with "2", this means some Ubiquiti in your LAN is actually misbehaving.

And it does look suspicious, requests are highly periodic. Usual usages don't look as periodical.
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 4:43 pm

Why do you consider up to 10 DNS queries per minute a "flood"? Unless this happens even when nothing is connected to the LAN of that router, that's a pretty normal traffic.

So what makes you believe it is unusual?
Hi Sindy,

Thanks for your fast replay. These PrtScreen provided is just a small part, but it's constantly giving me these msgs nonstop suddenly is stops for a few and then it continues.

On the other hand, but not sure if related, last week our public IP was blacklisted, it was a machine which was isolated and the problem was fixed. I had to manually removed.

Today, I got a notification from Barracauda getting blacklisted " LISTED-BARRACUDA-xxx.xxx.xxx.xx was listed 900 25"
We added a spammer filter rule to drop spamming.
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 4:50 pm

You obfuscated the screenshot a tad too much. But src-mac printed starts with F0:9F:C and if it continues with "2", this means some Ubiquiti in your LAN is actually misbehaving.

And it does look suspicious, requests are highly periodic. Usual usages don't look as periodical.
Thank you MKX.

Yes, it does, it starts with f0:9f:c2:92
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 4:59 pm

You obfuscated the screenshot a tad too much. But src-mac printed starts with F0:9F:C and if it continues with "2", this means some Ubiquiti in your LAN is actually misbehaving.

And it does look suspicious, requests are highly periodic. Usual usages don't look as periodical.
Any suggestion on what to do would be much appreciated sir.
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 5:03 pm

The previous PrtSc was originated from a UBNT equipment and it's down right now, so my bad. The correct screen is this one posted now
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 5:34 pm

Okay, so if I get you right, you know you've got some issue somewhere in your network because your public IP is getting blacklisted, but you don't know what went actually wrong and these DNS requests are just the first thing you've noticed so far?

On your last screenshot, the packets to Google DNS servers are sent by the Mikrotik router itself, but it presumably acts as a DNS proxy for the internal network, so it doesn't say much.

In general, using SMTP at port 25 without any authentication is not a best current practice, and preventing devices in LAN from establishing connections to TCP port 25 helps a lot against being blacklisted, but the trouble is that doing that only hides the symptoms and the machine remains infected. And the malware is usually a zombie asking the control center for instruction, so today it may send spam and tomorrow it may participate in a DDoS attack. So like you watch for DNS traffic, watch for traffic to TCP port 25 instead of blocking it. If some host in your internal networks initiates connections to TCP port 25 on many different addresses, it is likely to be infected.

It is also important what kind of network you operate - if it is a public one (like a WiFi hotspot), there is little point in identifying the particular device as it may belong to a random visitor, so generic preventive measures are more helpful; in a company network, it is really important to identify the infected machine and check that other ones haven't been infected too.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 5:47 pm

/export hide-sensitive file=anynameyouwish

plus provide a network diagram.
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 6:49 pm

/export hide-sensitive file=anynameyouwish

plus provide a network diagram.

Thank you Anav. As request the exported file.

My network diagram is simple, Internet>Router>clients. Anyways, I will do a drawing and post.

# jul/10/2021 09:14:06 by RouterOS 6.48.3
# software id = AZ05-F1YC
#
# model = RB1100x4
# serial number = D8590xxxxxxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] name=ether2 speed=100Mbps
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full auto-negotiation=no speed=10Mbps
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7
set [ find default-name=ether8 ] name=ether8
set [ find default-name=ether9 ] name=ether9
set [ find default-name=ether11 ] name=ether11
set [ find default-name=ether12 ] name=ether12-Internet-1
set [ find default-name=ether13 ] name=ether13-Internet-2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.100-192.168.1.110
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1h name=\
dhcp1
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether1 multicast-router=disabled
add bridge=bridge1 interface=ether2 multicast-router=\
disabled
add bridge=bridge1 interface=ether3 multicast-router=disabled
add bridge=bridge1 interface=ether4 multicast-router=disabled
add bridge=bridge1 interface=ether5 multicast-router=disabled
add bridge=bridge1 interface=ether6 multicast-router=disabled
add bridge=bridge1 interface=ether7 multicast-router=disabled
add bridge=bridge1 interface=ether8 multicast-router=disabled
add bridge=bridge1 interface=ether9 multicast-router=disabled
add bridge=bridge1 interface=ether10 multicast-router=disabled
add bridge=bridge1 interface=ether11 multicast-router=disabled
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=Public IP interface=ether13-Internet-1 network=\
x.x.x.x
add address=192.168.1.254/24 interface=bridge1 network=192.168.1.0
add address=10.10.20.2/24 interface=ether12-Internet-2 network=10.10.20.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.254
/ip dns
set cache-size=4096KiB max-concurrent-queries=200 \
max-concurrent-tcp-sessions=40 servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.40.0/24 list=Network-LAN
/ip firewall filter
add action=add-src-to-address-list address-list=Spammer address-list-timeout=\
none-dynamic chain=forward connection-limit=30,32 dst-port=25 limit=\
50,5:packet log=yes protocol=tcp
add action=drop chain=forward log=yes src-address-list=Spammer
add action=drop chain=output dst-port=53 log=yes out-interface=\
ether13-Internet-1 protocol=udp
add action=drop chain=output dst-port=53 log=yes out-interface=\
ether13-Internet-1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether13-Internet-1 \
protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether13-Internet-1 \
protocol=tcp
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=\
"Allow Established/Related/Untracked connections" connection-state=\
established,related,untracked
add action=drop chain=input disabled=yes dst-port=8080 in-interface=\
ether13-Internet-1 protocol=tcp
add action=drop chain=input disabled=yes dst-port=8080 in-interface=\
ether12-Internet-2 protocol=tcp
add action=drop chain=forward connection-state=invalid disabled=yes
add action=accept chain=forward connection-state=new disabled=yes \
src-address=10.20.40.0/24
add action=accept chain=forward connection-state=established disabled=yes
add action=accept chain=forward connection-state=related disabled=yes
add action=accept chain=forward connection-state=untracked disabled=yes
add action=accept chain=input comment="Allow WinBox" disabled=yes port=8291 \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=3000 in-interface=\
ether13-Internet-1 protocol=tcp to-addresses=192.168.x.x to-ports=\
3000
add action=dst-nat chain=dstnat dst-port=1433 in-interface=\
ether13-Internet-1 protocol=tcp to-addresses=192.168.x.x to-ports=\
1433
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp \
to-ports=8080
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip proxy
set cache-administrator=MikroTik cache-on-disk=yes
/ip route
add check-gateway=ping distance=1 gateway=x.x.x.x
add check-gateway=ping distance=2 gateway=10.10.20.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24 port=9090
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/system clock
set time-zone-name=
/system identity
set name=CORE-JIN
/system ntp client
set enabled=yes primary-ntp=198.27.76.102 secondary-ntp=198.251.86.68
/tool graphing interface
add interface=ether13-Internet-1
add interface=ether7
add interface=ether6
add interface=ether5
add interface=ether4
add interface=ether3
add interface=ether2
/tool netwatch
add comment=Google host=8.8.8.8
add comment=Gateway host=x.x.x.x
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 7:07 pm

Looking at the ports and times it seems to be repeats of each DNS request by the same client. It seems that there is no reply received.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 7:21 pm

(1)So all the ethernet ports on the router go to PCs?
(2) why is your IP pool so small??
(3) ether1 doesnt show on your /interface ethernet list??
(4) Assuming you have two wan connections? on etherports 12 & 13?
(5) YOu are missing two important items.
a. /interface list
b. /interface list members

(6) I dont like your firewall rules LOL.

a. get rid of the extra stuff and then determine if you really need it.
b. Stick to the defaults until you understand what each rule does..
c. Notice the SOURCE NAT RULE, replace the one you have with the one below.
d. we can tweak the firewall rules later if necessary............

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

(7) DST nat rules.... slightly modified but were okay.
add action=dst-nat chain=dstnat dst-port=3000,1433 protocol=tcp \
in-interface=ether13-Internet-1 to-addresses=192.168.x.x


(8) From a security standpoint why is www permitted.........what are you using this for??
ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24 port=9090
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 7:37 pm

In terms of the firewall the changes to the default recommended, after you have it working of course.
Is to change both input and forward chains from allow all and magically know which things one should block, TO
allow nothing except what the admin specifically allows. Better security approach.
With the default approach everyone has access to the router and in reality only the admin needs full access.
The rest simply need access to router services (like DNS or NTP).

In both cases this entails putting a drop all else rule as the last rule in each chain.
This raises two points however.

a. In the input chain unless you have a rule prior to this rule to allow the admin access to the router, the admin will be locked out of the router.
b. In the forward chain, since all traffic is no longer allowed, one has to create a rule allowing LAN to WAN (aka internet traffic).

In point a. one simply creates an allow rule from the trusted subnet in this case your bridge should suffice but better is to narrow it down ONLY to admin devices,
admin desktop, admin laptop, admin ipad, admin smartphone - via a firewall address list for all the statically assigned leased lan IPs for these devices.

add chain=input action=accept comment="Admin Access" in-interface=bridge1 source-address-list=authorized-devices
where authorized devices
/ip firewall address-list
add admin desktop IP list=authorized-devices
add admin laptop IP list=authorized-devices
add admin ipad IP list=authorized-devices
add admin smarthphone IP list=authorized-devices

Further one needs to then add what services all users have access too....
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow NTP service" connection-state=\
new dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
NTPserver
add action=drop chain=input comment="Drop All Else"

In point b, above and as noted with a drop rule in the forward chain, one will need to add access to the internet (lan to wan traffic)
In the forward chain one also modifies the existing combined dstnat rule and drop all wan to lan traffic rule into
a separate allow port forwarding rule. The drop rule at the end covers the wan to lan traffic, as well as any other lan to wan traffic not desired and all lan to lan traffic between diff subnets.

add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Help MT constantly sending request to Google

Sat Jul 10, 2021 9:19 pm

Today, I got a notification from Barracauda getting blacklisted " LISTED-BARRACUDA-243.202.25x.x6 was listed 900 25"
We added a spammer filter rule to drop spamming.
Tecomunica do not provide any filters on his routers before give conections to the end users?

The routerboard send requests to Google because you set 8.8.8.8 and 8.8.4.4 as DNS...

What I deduce from what are wroted and what are NOT wroted on your export:
You block all internal DNS traffic of RouterBOARD,
but you still have some DNS to be resolved from routerboard.
Time-Zone auto detect, /interface detect internet, /ip cloud update, and THE DUDE active try to resolve all IP to hostname
and requests are tried over and over because internal DNS resolution is blocked by your rules.
This is why you have all this log on your device on that rate insistence.
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Re: Help MT constantly sending request to Google

Sun Jul 11, 2021 2:35 am

(1)So all the ethernet ports on the router go to PCs?
(2) why is your IP pool so small??
(3) ether1 doesnt show on your /interface ethernet list??
(4) Assuming you have two wan connections? on etherports 12 & 13?
(5) YOu are missing two important items.
a. /interface list
b. /interface list members

(6) I dont like your firewall rules LOL.

a. get rid of the extra stuff and then determine if you really need it.
b. Stick to the defaults until you understand what each rule does..
c. Notice the SOURCE NAT RULE, replace the one you have with the one below.
d. we can tweak the firewall rules later if necessary............
Thank you anav for taking your time sir. !
Ok I will answer accordingly to your questions.
A1) Ports are connected not to PCs (except 1 PC) but to several radio links (small WISP with less then 30 CPEs in very small city)
A2) Pool is small as I manage it all with static IP. So I use a small pool when I get connected to the router directly.
A3) strange ether1 doesn't show, I believe I erased it by mistake when modifying on notepad++ anyways, ether1 port is not being used.
A4) That's correct I have to WAN interface connection, a simple fail-over
A5)
A6) I'm aware my firewall rules are not doing much. This is another reason why I humbly asking for/your help on this awesome forum.
A7) Ok so instead of having to 2 nat rules, I would have to simplify it to 1 nat rules for both ports.
A8) I was doing test to access bandwidth graphics, just disable it.

I can erase all rules and start from zero, add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN is not working as on the drop down list it does not show LAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Help MT constantly sending request to Google

Sun Jul 11, 2021 2:40 am

I can erase all rules and start from zero, add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN is not working as on the drop down list it does not show LAN
Yoiu must RESET config from /system reset to give back all default values, if NOTHING are personalized with netinstall or branding.
Simply copy&paste default firewall rule do not recreate WAN and LAN groups and all other settings.
viewtopic.php?f=13&t=175129&p=856824#p856824
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Re: Help MT constantly sending request to Google

Sun Jul 11, 2021 2:48 am

Yoiu must update to latest 6.47.10 and RESET config from /system reset to give back all default values.
Simply copy&paste default firewall rule do not recreate WAN and LAN groups and all other settings.
Thank you rextended. Then I can not do this today, as this router is in service and providing Internet I would have to program it or I can get another RB1100x4 do it offline and then swap. I am currently using RouterOS 6.48.

I am even thinking of swapping this MT router and put an unopened WatchGuard Firebox M270, I'm just refusing it for now as I love Mikrotik :/

BTW, I see you are from Italy awesome country, been there, it's a dream !

Thank you
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Help MT constantly sending request to Google

Sun Jul 11, 2021 2:50 am

As you wrote, I have added a link on previous post #16, read it again

Do not forget to read my previous post #14:
viewtopic.php?f=2&t=176743&p=866839#p866820

Thank you very much, you are really kind!
Also Managua, between two Lake and two Ocean, must be really splendid!
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Re: Help MT constantly sending request to Google

Sun Jul 11, 2021 3:03 am

When you are writing, I have added a link on previous post, read it again

Do not forget to read my previous post:
viewtopic.php?f=2&t=176743&p=866839#p866820

Also Managua, between two Lake and two Ocean, must be really splendid!
That's correct rextended =)

I did read your post and disabled the drop DNS request. It's not showing the long logs anymore ^_^

Thank you.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Help MT constantly sending request to Google

Sun Jul 11, 2021 3:04 am

Just ask, if I can help... help. ;)

Please try to not quote if you just reply to previous post, thanks! ;)
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Re: Help MT constantly sending request to Google

Sun Jul 11, 2021 3:08 am

Thank you so much rextended. :). Is there anyways I can send you a direct msg?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Help MT constantly sending request to Google

Sun Jul 11, 2021 3:20 am

No, but if you write here on this topic, for sure I read the message.

But remember that is user forum, not whatsapp :))
 
User avatar
mja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun May 11, 2008 4:29 am

Re: Help MT constantly sending request to Google

Sun Jul 11, 2021 5:49 am

Lol understood :P

Who is online

Users browsing this forum: Bing [Bot], elvtechnology, NetTecture and 80 guests