Community discussions

MUM Europe 2020
 
shielder
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Wed Feb 09, 2005 7:09 pm
Location: Indonesia

Protect router against attack

Sat Mar 04, 2006 5:45 pm

Hi, recently my mikrotik router has many undesired packet passing through. I have found that most of the are ICMP packet (between 2kbps - 12 kbps), so i decided to block the destination IP. Is there any way to protect our router from this kind of "attack". Or maybe someone would like to share their experience in handling "attack" from outside so all of us could discuss this further.

Regards,
Lim
 
Gotmoh
newbie
Posts: 38
Joined: Fri Jul 15, 2005 8:56 am

Sun Mar 05, 2006 1:00 pm

Just block input icmp packets from sources. You can use address list to pass only from accepted places.
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Sun Mar 05, 2006 3:56 pm

don't block ICMP completly, e.g. MTU-Path Discovery is ICMP-based.
At the demo-system there are some rules concerning ICMP.
 
oriondotnet
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Tue Jan 17, 2006 9:27 pm

Sun Mar 05, 2006 4:29 pm

Anyone kindly enough to share how to block imcp attack ?
 
vklimovs
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Fri Dec 16, 2005 5:37 pm

Sun Mar 05, 2006 6:25 pm

/ip firewall filter
add chain=input connection-state=invalid action=drop comment="drop invalid \
    connections" disabled=no 
add chain=input protocol=tcp psd=10,3s,3,1 action=drop comment="drop possible \
    port scans" disabled=no 
add chain=input protocol=udp dst-port=137-139 action=drop comment="deny \
    NETBIOS services" disabled=no 
add chain=input protocol=udp dst-port=161 action=accept comment="allow SNMP \
    connections" disabled=no 
add chain=input protocol=tcp dst-port=2000 action=accept comment="allow \
    bandwidth test TCP connections" disabled=no 
add chain=input protocol=udp action=accept comment="allow UDP protocol" \
    disabled=no 
add chain=input protocol=tcp dst-port=21 action=accept comment="allow FTP \
    access" disabled=no 
add chain=input protocol=tcp dst-port=22 action=accept comment="allow SSH \
    access" disabled=no 
add chain=input protocol=tcp dst-port=80 action=accept comment="allow HTTP \
    access" disabled=no 
add chain=input protocol=tcp dst-port=8291 action=accept comment="allow Winbox \
    access" disabled=no 
add chain=input protocol=tcp dst-port=1723 action=accept comment="allow PPTP \
    access" disabled=no 
add chain=input connection-state=established action=accept comment="accept \
    estalished connections" disabled=no 
add chain=input connection-state=related action=accept comment="accept related \
    connections" disabled=no 
add chain=input protocol=icmp icmp-options=8:0 action=accept \
    comment="allow ICMP echo request" disabled=no 
add chain=forward in-interface=Local out-interface=Global action=drop \
    comment="" disabled=no 
add chain=input protocol=icmp icmp-options=3:4 action=accept comment="allow \
    ICMP Fragmentation Needed" disabled=no 
add chain=input action=log log-prefix="" comment="log everything else" \
    disabled=yes 
add chain=input action=drop comment="drop everything else" disabled=yes
Note, that you still have to enable last rules to achieve any effect. I posted them as disabled due to security reasons. Of course, you can substitute input chain with any other, including forward. If you don't use some services like SNMP or PPTP just disable or even delete appropriate rules.
:)
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Sun Mar 05, 2006 7:42 pm

 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Re: Protect router against attack

Mon Mar 06, 2006 12:55 pm

Hi, recently my mikrotik router has many undesired packet passing through. I have found that most of the are ICMP packet (between 2kbps - 12 kbps), so i decided to block the destination IP. Is there any way to protect our router from this kind of "attack". Or maybe someone would like to share their experience in handling "attack" from outside so all of us could discuss this further.

Regards,
Lim
It's usually not an attack, but if you analyze them you'll discover problems in your network that you didn't even know about.
Move along. Nothing to see here.

Who is online

Users browsing this forum: misucatinas and 102 guests