Community discussions

MikroTik App
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Fri Oct 12, 2018 11:27 am

As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking.
Happens with IPv6 set to NOTRACK. It's not tracking causing this.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Fri Oct 12, 2018 12:19 pm

As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking.
Happens with IPv6 set to NOTRACK. It's not tracking causing this.
So it is ND (also indicated by the name of the tool).
You will not be affected when you block the incoming traffic on your internet interface so it is not routed towards the interface where ND is happening.
ND is like ARP. It is used to find the hardware address corresponding to the IPv6 address. Transit routers to not use it. (but they could use tracking)
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Fri Oct 12, 2018 12:55 pm

So it is ND (also indicated by the name of the tool).
No, you're doing exactly the same thing MikroTik support did — that is, not reading the addresses that are being targetted. Despite using a tool for ND crashing, it is not ND which is causing the problem — it's just an easy to find tool which will send ICMPv6 packets to lots of different destination addresses.

MikroTik Support eventually read my emails properly, after a week of back-and-forth, and acknowledged this problem:
I can confirm the problem, in one case forwarding of ipv6 traffic eats all the memory. There is also another case when kernel is crashing, but also can be related to low memory.
We will look into this problem.
Last edited by maznu on Fri Oct 12, 2018 2:37 pm, edited 1 time in total.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Fri Oct 12, 2018 1:23 pm

ND is like ARP. It is used to find the hardware address corresponding to the IPv6 address. Transit routers to not use it. (but they could use tracking)
To refer you back to my post, and why ND is not to blame (despite using an "ND exhaustion tool"):
RaspberryPi ---- hAP ac2 ---- hEX

If I run this on the Raspberry Pi:

XXXREDACTEDXXX 2a01:9e02:0:666::/64

Then the hAPac2 crashes.
The question I had for MikroTik was: why is the hAP ac2 crashing? The target subnet is connected to the hEX. The hEX is doing ND, the hAP ac2 is not doing ND. Yes, the hEX crashes (it should not — the IPv6 neighbor table should not grow without bound!). But the hAP ac2 also crashes, and for a different reason to ND exhaustion. Guess what? CCRs used for transit also crash. That means a customer of an ISP running MikroTik routers as their BGP edge can use the ND exhaustion tool (targeting a subnet "out on the Internet") and crash their own ISP's MikroTiks.
Last edited by maznu on Fri Mar 29, 2019 8:32 am, edited 1 time in total.
 
GregC
just joined
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Security announcement blog

Fri Oct 12, 2018 3:28 pm

While we are on the topic of security and forgive me if this has been addressed before.
Someone hacks the router as it happened in the resent past or perhaps they find another hole in the future. Why is it that if we forget the username and/or password there is no way to see it or export it? This is good, and is very secure and that is the way it should be.
This takes me to the real question of this post. If I have VPN enabled and someone access the router, export the configuration, they can see the /ppp secret information and ipsec-secret.
For example:
/ppp secret
add name=myusername password=mypassword profile=VPN
Is there are reason why this has to be this way? If there is a better way please let me know. Thank you!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Fri Oct 12, 2018 4:47 pm

Not "someone access the router". When "some user" logs in to the router they cannot see this info. They have to be an administrator to see it.
The reason why this data is stored in plaintext is that it has to be available in plaintext for the protocols it is used for (IPsec, xCHAPx).
So you cannot store a hash value of those values.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security announcement blog

Fri Oct 12, 2018 4:50 pm

I have never seen increasing memory usage due to IPv6 forwarding. But apparently your use case or configuration is different.
 
GregC
just joined
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Security announcement blog

Sat Oct 13, 2018 12:49 am

Not "someone access the router". When "some user" logs in to the router they cannot see this info. They have to be an administrator to see it.
The reason why this data is stored in plaintext is that it has to be available in plaintext for the protocols it is used for (IPsec, xCHAPx).
So you cannot store a hash value of those values.
@pe1chl thank you for your response.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Security announcement blog

Sat Oct 13, 2018 10:27 am

I have never seen increasing memory usage due to IPv6 forwarding. But apparently your use case or configuration is different.
This is an out-of-the-box configuration, plus IPv6, NOTRACK, and some static routes.

MikroTik confirmed to me back in March that they have reproduced this issue. I'm just hoping that they treat it as what it is — a remote, unauthenticated denial-of-service — and fix it soon.
 
usx
newbie
Posts: 26
Joined: Sun Oct 27, 2013 7:30 pm

Re: Security announcement blog

Tue Nov 20, 2018 12:48 am

Fri Sep 14, 2018 9:45 am
Email list
Now we're talking. I was subscribed to it until it stopped sending me emails, without me unsubscribing. Where can I find that list? That solves the complete issue. I just thought they've dropped the list.

Is it this one? https://mikrotik.com/client/ecom_notify.php
I got that link from my last email from 2015, but removed the unregn query string parameter.

I can't find any "official" link to the URL I mentioned above. It appears to be part of the "Account" section, but I have no account on the mikrotik.com website (only on the forum).

Oh jesus christ. It's in big red at the bottom of the page... I'm a genius... as in stable genius...

Sooo, a long time later... I haven't received any notification of Release 6.43.3 and Release 6.43.4.

Does that mailing list even work???
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Security announcement blog

Tue Nov 20, 2018 2:29 am

Interesting.. I found myself unsubscribed from everything, including security info
 
raudpolt
just joined
Posts: 2
Joined: Thu Oct 18, 2018 11:11 am

Re: Security announcement blog

Wed Nov 21, 2018 9:32 am

My usual routine is to check log files every morning and today I got some intrusion attempts. Winbox is not at the default port and is protected but still.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Security announcement blog

Wed Nov 21, 2018 11:03 pm

This tells me that you should close it 100% from outside and use VPN.
Last edited by Jotne on Thu Nov 22, 2018 2:14 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Security announcement blog

Thu Nov 22, 2018 8:33 am

This tells me that you should close it 100% and use VPN.
Complete closure does not prevent attackers from trying though ...
 
raudpolt
just joined
Posts: 2
Joined: Thu Oct 18, 2018 11:11 am

Re: Security announcement blog

Thu Nov 22, 2018 7:44 pm

This tells me that you should close it 100% from outside and use VPN.
Actually it is closed by the book, every possible measure taken. Cannot be 100% sure off course. This IP is known circulating in honeypots and its in every possible scam database, however this bot specifically works as a winbox scanner. By the way, the default port is changed also. Something to think about for those who think they secured their winbox.
 
GregC
just joined
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Security announcement blog

Fri Nov 23, 2018 1:40 am

I have a CCR1036-12G-4S router that I finally got to the location to update from version 6.40.3. I’ll guess that I’ve been lucky that it may have not been hacked with the exception of these lines:

/ip firewall layer7-protocol
add name=WB regexp="/\\.\\./\\.\\.\?/"

/ip firewall filter
add action=tarpit chain=input comment=WB protocol=tcp src-address-list=BANIP

/ip firewall mangle
add action=add-src-to-address-list address-list=BANIP address-list-timeout=none-dynamic chain=input comment=WB dst-port=8291 layer7-protocol=WB protocol=tcp

/system package update
set channel=development

Should I worry about this? Was it a good Samaritan from Mikrotik that did this? Or am I wrong about this? As I search this forum all I find is lines with the comment=WB. I vaguely remember reading that someone was doing this, but can’t recall the details – thanks.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Security announcement blog

Thu Nov 29, 2018 10:45 pm

Here you se why you should upgrade.
This is our company firewall last 24 hour. 65000 hits on port 8291, mostly from Iran (50 different IP in Iran)
And its on top of our list of port tried to enter.
.
8291Winbox.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
Morphlingg
just joined
Posts: 3
Joined: Tue Jul 16, 2019 6:28 pm
Location: Washington
Contact:

Re: Security announcement blog

Tue Jul 16, 2019 6:38 pm

Site is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.
can you see if this works now?
Yes it is

Who is online

Users browsing this forum: ffernandes, LabarH, nclmrc and 17 guests