Blocking some kind of attack

otgooneo · Thu Nov 18, 2010 11:15 am

Some times RB1000 cpu usage is increases 100% during whole day. I found a reason. Some unauthorized DHCP clients PC tries to create over 100 same SSL connections. I can find those connections from /ip firewall connection print, then I can block client MAC address. But that is too manual way to find that attackers. Please see the below ScrnShot.
I tried to catch those packets and connections by firewall mangle and filter rules, but it not successful.

#1st try
chain=input action=add-src-to-address-list protocol=tcp address-list=attack address-list-timeout=30m dst-port=443 connection-limit=70,32
#2nd try
chain=input action=add-src-to-address-list protocol=tcp address-list=attack address-list-timeout=30m dst-port=443

How can I reject those packets or add those attackers to address list or create script, that print /ip firewall connections then analyze and find same src-address, dst-address SSL connections over 50 then to add src-address to address list?

Ibersystems · Thu Nov 18, 2010 11:20 am

chain=input action=drop protocol=tcp connection-limit=70,32

this will allow only 69 TCP connections per customer. (70-1 with /32 mask)

otgooneo · Wed Nov 24, 2010 5:55 am

It doesn`t work. I think, maybe this connection limit is only for established or new connection. Those attackers connection is not established and just try to establish.

Now I think only one way to solve it. Find from connection list and catch IP address then block it temporary.
Please help me to create script for it.

/ip firewall connection find src-address, if dst-address-port=0.0.0.0/0:443, connection-count>70
Then need to add this src-address to address-list=BadIP time-out=00:10:00

otgooneo · Fri Dec 10, 2010 5:47 am

Any idea?

fewi · Fri Dec 10, 2010 6:29 am

The firewall filter rule would probably work fine. You are using the 'input' chain, which is for traffic destined directly to the router. Unless that destination IP is on a router interface that obviously won't work. Try the 'forward' chain instead.

omidkosari · Fri Dec 10, 2010 12:21 pm

tarpit is best way

otgooneo · Mon Dec 13, 2010 10:57 am

Hi fewi,

I tried set rules "forward". But couldn`t catch those connections. So I added below rule and see what will:

chain=hs-unauth action=add-src-to-address-list protocol=tcp \
address-list=attack address-list-timeout=5m

Now I can catch those attackers src-address. But it gets some IP from good clear connections. Then I tried:

chain=hs-unauth action=add-src-to-address-list protocol=tcp \
address-list=attack address-list-timeout=5m connection-limit=40,32

But can`t catch. Then tried like that:

chain=hs-unauth action=add-src-to-address-list protocol=tcp \
address-list=attack address-list-timeout=5m dst-port=443

Same result can`t catch bad connections.

Okay If firewall rules can`t catch it, need to add script to find those connections. Please help me to fo this.

TKITFrank · Mon Dec 13, 2010 12:04 pm

Hi,

If you have found the right chain then try to restricting all https traffic from one host to say about 20 connections?
Skip adding them to a list just drop them.

Try that and see if it helps?

otgooneo · Mon Dec 13, 2010 12:44 pm

Yes, But most interesting of those traffics is "forward" chain can`t catch it. Only "hs-unauth" chain can catch not authorized tcp connection tries, but not stable (see the screenshot). Okay, it doesn`t work stable but works. Then next step is try to catch any tcp 443. Woow. But can`t. Just no traffic catch. But bad connections still in firewall connections and CPU load 100%.

TKITFrank · Mon Dec 13, 2010 12:57 pm

How about adding a rule in the hs-unauth chain?

otgooneo · Mon Dec 13, 2010 1:59 pm

Not helpful. Could you please help me to add a script on it.

TKITFrank · Mon Dec 13, 2010 2:09 pm

Can you please show us your rules and also point out where the packets hit.
That way we might be able to construct a rule in the right order that will help.

Also is there any known similarity between the attacks? The same dest-ip or just https?

sadoank · Mon Dec 13, 2010 2:46 pm

try to add nice.rsc or nice list...

so you can allow IP that you want to allow and drop any IP that you doesn't want to access your IP...

CMIIW

otgooneo · Wed Dec 15, 2010 6:40 am

Hi again,

I found the reason, As you know when using Hotspot service, it creates dynamic Filter and NAT rules. One of them is:

14 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443

So some applications (maybe bad applications) installed on user PC tries to establish HTTPS connection every moment and RouterOS redirects all those requests to port 64875 (hotspot login page). Therefor CPU usage increases 100%. When user logged in, it stops. Or when I remove this NAT rule, it stops. But without this rule, can`t redirect HTTPS request to login page.

Now I removed this dynamic rule (because can`t change dynamic rules) and added new one like that but changed connection limit:

chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443 connection-limit=10,32

Now I`m waiting users, who was affected to network. Because yesterday when I changed NAT rule, bad user turned off his computer. I hope it will work.

fewi · Wed Dec 15, 2010 6:46 am

Don't delete the dynamic rules. You are breaking your Hotspot. You should delete the Hotspot instance and recreate it to get the rule back. Never touch the dynamic rules.

Then: http://mum.mikrotik.com/presentations/U ... xWindt.pdf, pages 7-9.

otgooneo · Wed Dec 15, 2010 10:50 am

Woow Thanks fewi, it is very very useful document for me. I`ll try using pre-hotspot chain.
But I think, I can delete all dynamic rule and create those rules manually. But it`s very bad when router restarts and hotspot creates dynamic rules again.

Blocking some kind of attack

Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Re: Blocking some kind of attack

Who is online