Community discussions

MikroTik App
 
StNick
just joined
Topic Author
Posts: 17
Joined: Wed Oct 02, 2013 10:14 am

DDoS attack?

Mon Oct 07, 2013 12:38 pm

Hi there,

I have a RB951G-2HnD at home which dials my 10mbps ADSL via PPPoE.

Over the last month or so, I have experienced what I can only assume is some "attack" of sorts, and I am not smart enough to understand how or why it is happening. It has happened about six times now. Basically what happens first is that I notice that my Internet connection is performing very poorly. When I look at my ADSL interface, the outgoing throughput is in the region of 3mbps, which incidentally is impossible on my ADSL line (maximum 1mbps upstream).

When I run Torch on the interface, I see that the traffic is coming from a Russian IP address (no port is shown, even when I tick "Port" in Torch). To fix this, what I've been doing is going to Firewall -> Filter Rules and creating a new rule that drops all traffic to that IP address on the output chain. This immediately fixes my performance, and I can see the rule catching hundreds of megabytes of data until the "attacker" eventually gives up.

Any ideas on what this could be, and/or how I could better-protect myself from future "attacks"? Any advice would be greatly appreciated.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: DDoS attack?

Mon Oct 07, 2013 1:53 pm

It sounds as if your firewall settings are inadequate which is allowing somebody access in the first place. Can you upload your firewall settings?
 
StNick
just joined
Topic Author
Posts: 17
Joined: Wed Oct 02, 2013 10:14 am

Re: DDoS attack?

Mon Oct 07, 2013 4:52 pm

Sure, what is the best way for me to export them and paste here?

I just took a look and noticed that all of my "Service Ports" (the default ones) were enabled, even though I have no need for any. I have disabled them now. Is that likely to be a hole that I've just plugged?
 
StNick
just joined
Topic Author
Posts: 17
Joined: Wed Oct 02, 2013 10:14 am

Re: DDoS attack?

Mon Oct 07, 2013 8:40 pm

Well, it obviously had nothing to do with the service ports considering it just happened again this evening.

Here's a screenshot of the Torch results. Any ideas?

https://dl.dropboxusercontent.com/u/666 ... ssians.jpg
 
User avatar
soulflyhigh
Member Candidate
Member Candidate
Posts: 179
Joined: Wed Sep 08, 2010 11:20 am

Re: DDoS attack?

Mon Oct 07, 2013 9:08 pm

/ip dns set allow-remote-requests=no
 
AlArenal
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Aug 01, 2013 5:24 pm
Location: Iserlohn, Germany

Re: DDoS attack?

Mon Oct 07, 2013 9:09 pm

Is your routerboard's dns publicly available (port 53 tcp and udp)?

You usually don't need the rb's dns cache. You can disable it if you use your ISPs dns server in your client's network configuration ro you can make it unavailable from wan side with an appropriate firewall rule.
 
AlArenal
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Aug 01, 2013 5:24 pm
Location: Iserlohn, Germany

Re: DDoS attack?

Mon Oct 07, 2013 9:11 pm

/ip dns set allow-remote-requests=no
Yep, that's the third option but I remember having seen that this setting leads to unavailable dns cache even from the internal network. But maybe that was a bug, misconfiguration or my memory fools me (probably the latter)...
 
StNick
just joined
Topic Author
Posts: 17
Joined: Wed Oct 02, 2013 10:14 am

Re: DDoS attack?

Mon Oct 07, 2013 10:00 pm

Thanks guys. I use Google's DNS servers, but it *was* set to allow remote requests.

I have now disabled that setting, so lets see how it goes from here... Fingers crossed.

Edit: Okay, when I disable that setting, I can't resolve anything from any of the devices on my network. (Sorry guys, I really am a n00b at this)
 
User avatar
webpagetech
newbie
Posts: 42
Joined: Fri Mar 01, 2013 8:42 pm
Location: TX, United States
Contact:

Re: DDoS attack?

Mon Oct 07, 2013 10:10 pm

I would also set up a connection state firewall to protect you LAN if you have not already.

something along the lines of.
/ip firewall address-list
add address=172.16.0.0/24 list=list-inside-lan

/ip firewall filter
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new src-address-list=list-inside-lan
add action=drop chain=forward
Make sure to change the 172.16.0.0/24 subnet above to what ever your LAN Network is.
 
StNick
just joined
Topic Author
Posts: 17
Joined: Wed Oct 02, 2013 10:14 am

Re: DDoS attack?

Mon Oct 07, 2013 11:48 pm

I would also set up a connection state firewall to protect you LAN if you have not already.

something along the lines of.
/ip firewall address-list
add address=172.16.0.0/24 list=list-inside-lan

/ip firewall filter
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new src-address-list=list-inside-lan
add action=drop chain=forward
Thanks, I'll give this a bash too. Can you tell me what it does?
Make sure to change the 172.16.0.0/24 subnet above to what ever your LAN Network is.
 
User avatar
webpagetech
newbie
Posts: 42
Joined: Fri Mar 01, 2013 8:42 pm
Location: TX, United States
Contact:

Re: DDoS attack?

Tue Oct 08, 2013 12:04 am

Thanks, I'll give this a bash too. Can you tell me what it does?
Ya it says...

Accept forward traffic that is established (connection has already been new and created from you LAN and is still the same as when it was created)

Accept forward traffic that is related (connection has already been created and is very similar to an established connection (ie. usually this is when one of the ports change but same IP's as an established connection or a data stream like gre(vpn) was created from an established connection))

Accept forward traffic that is new and from your LAN.

Drop all other forward traffic.

...

In other words only accept traffic that comes from the computers on your LAN. Drop all other traffic.
 
kmok1
newbie
Posts: 43
Joined: Wed Nov 28, 2012 6:49 pm
Location: Windsor ON Canada
Contact:

Re: DDoS attack?

Tue Oct 08, 2013 1:06 am

I discovered the same issue two weeks ago. I followed through on some IP addresses, most were not running a name service. Therefore I felt that those were DNS amplification attacks.

I implemented this code into my routers.
/ip firewall filter
add action=drop chain=input comment="Detect & drop DNS amplification attack." \
    disabled=no dst-port=53 in-interface=aDSL protocol=udp \
    src-address-list=BL-dns
add action=add-src-to-address-list address-list=BL-dns address-list-timeout=12h \
    chain=input connection-limit=30,32 disabled=no dst-port=53 in-interface=\
    aDSL protocol=udp
You will need to change the in-interface to fit your settings. The first line drops any packets that is in the BL-dns blacklist. The second line limits each IP address with UDP and port 53 to maximum 30 connections. If there are over 30 connections, that source IP address is added to BL-dns for 12 hours.
 
StNick
just joined
Topic Author
Posts: 17
Joined: Wed Oct 02, 2013 10:14 am

Re: DDoS attack?

Tue Oct 08, 2013 10:16 am

Thanks so much for the replies everyone, this has been a good learning experience for me.

I've made the changes that webpagetech suggested. As a matter of fact, the rules were there already from the default configuration and I only had to make a couple of changes.

However, I am not sure if this "connection state firewall" is sufficient to prevent the same thing happening again though. Do I still need to explicitly block port 53 to the outside world, as AlArenal suggests?
 
AlArenal
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Aug 01, 2013 5:24 pm
Location: Iserlohn, Germany

Re: DDoS attack?

Tue Oct 08, 2013 10:46 am

If your device has no DNS service running and therefore there is nothing answering on port 53, you don't need such a rule.

And it's FROM the outside, not TO. Of course you need to be able to make DNS request to the outside, otherwise you won't be able to resolve domain names to IP addresses.
 
StNick
just joined
Topic Author
Posts: 17
Joined: Wed Oct 02, 2013 10:14 am

Re: DDoS attack?

Tue Oct 08, 2013 2:07 pm

I discovered the same issue two weeks ago. I followed through on some IP addresses, most were not running a name service. Therefore I felt that those were DNS amplification attacks.

I implemented this code into my routers.
/ip firewall filter
add action=drop chain=input comment="Detect & drop DNS amplification attack." \
    disabled=no dst-port=53 in-interface=aDSL protocol=udp \
    src-address-list=BL-dns
add action=add-src-to-address-list address-list=BL-dns address-list-timeout=12h \
    chain=input connection-limit=30,32 disabled=no dst-port=53 in-interface=\
    aDSL protocol=udp
You will need to change the in-interface to fit your settings. The first line drops any packets that is in the BL-dns blacklist. The second line limits each IP address with UDP and port 53 to maximum 30 connections. If there are over 30 connections, that source IP address is added to BL-dns for 12 hours.

I almost completely missed your post. Thank you so much for this rule. I have added it, so now I wait and see. :)
 
StNick
just joined
Topic Author
Posts: 17
Joined: Wed Oct 02, 2013 10:14 am

Re: DDoS attack?

Wed Oct 09, 2013 12:03 am

Well, kmok1's solution appears to be working perfectly. I added another similar rule using netmask 24 though, as I was being hit hard by 199.223.126.xxx and since no individual IP was using more than 30 connections, it wasn't being picked up.

I wish I knew why this was happening. I've never had to do anything like this in the 5 years that I've owned a Mikrotik before.

Update: I am starting to understand now... What I have failed to realise until now is that I've basically been running my Mikrotik as an open DNS server, when all I really wanted to do was allow devices on my internal network to use it for that purpose. Therefore, really all I need to do is block all remote requests on my WAN interface.
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ADSL protocol=udp
add action=drop chain=input dst-port=53 in-interface=ADSL protocol=tcp
 
kmok1
newbie
Posts: 43
Joined: Wed Nov 28, 2012 6:49 pm
Location: Windsor ON Canada
Contact:

Re: DDoS attack?

Wed Oct 09, 2013 6:46 pm

Hey StNick,

For end users, your rules work perfectly. I run an ISP with various DNS servers in the network, so I have to implement in a way that my DNS servers are able to talk to the outside.

FYI, I heard about this DNS amplification (DDOS) attack only a few months ago. Now this is happening to everybody and in my opinion, it is getting out of hand. My drop rule in my edge router is dropping avg 1000 packets per second for the past two weeks.
Well, kmok1's solution appears to be working perfectly. I added another similar rule using netmask 24 though, as I was being hit hard by 199.223.126.xxx and since no individual IP was using more than 30 connections, it wasn't being picked up.

I wish I knew why this was happening. I've never had to do anything like this in the 5 years that I've owned a Mikrotik before.

Update: I am starting to understand now... What I have failed to realise until now is that I've basically been running my Mikrotik as an open DNS server, when all I really wanted to do was allow devices on my internal network to use it for that purpose. Therefore, really all I need to do is block all remote requests on my WAN interface.
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ADSL protocol=udp
add action=drop chain=input dst-port=53 in-interface=ADSL protocol=tcp

Who is online

Users browsing this forum: Google [Bot] and 42 guests