HI all,
I manage a small network for a non-profit and this evening they lost connectivity.
Upon further inspection both the primary DNS (their ISP) and the secondary DNS (8.8.8. are showing up on the DDOS blocked list based on my firewall rules in the Mikrotik router. I've never seen the DNS IPs show up there before and it's been years.
Looking at 'connections' in the firewall I see that a rogue IP 192.168.100.10 is doing a lot of talking (or something) with both DNS servers. I say it's rogue because my network is all 10.0.0.x.
Not sure how to find the rogue device so I figured it would be easy to block it from the network entirely, especially since it's not actually a part of our IP range or subnet. But, upon trying various things based on Googling (mostly firewall rules to drop the traffic) I'm not able to stop this from happening so they are still completely down
What can I do? Any help would be much appreciated as they are obviously not very happy.
Btw, the network is super simple.. just router to central switch and then out to users, nothing fancy at all and nothing has been changed for a long time.
Help!!!
Thanks in advance,
Dan

Hi Jay5son,
I tried to do exactly that but despite googling and youtubing my rule doesn't seem to block it

Make sure it is the first rule in the list.(order matters)
Still the issue remains that your DDOS rule is most likely setup incorrectly.
If someone abuses a ip you block the src address not the destination.
Why would the dns servers be flagged? Highly unlikely that google is spamming connections to you.

Thank you Rho,
I made the rule, I assume I can use 192.168.0.0. to block that whole network, yes?
You're probably right about the DDOS rules, I didn't create them and don't have much firewall experience at all. That said, it's a brand new thing that 8.8.8.8 shows up on the blocked list so something must have changed?
Ultimately I think I need help to ensure the Mikrotik Firewall is appropriately configured but their (non profit) budget is so tight I can't really spend hundreds on consulting. (but maybe $100, any takers? )))
Really appreciate the help.

I made the rule, I assume I can use 192.168.0.0. to block that whole network, yes?

If you want to block whole subnet, then you have to add subnet mask to the address setting ... like this: 192.168.0.0/16 . By default, /32 subnet mask is used which means single (host address) and no "subnet address determination heuristic" is applied.

You can export your current configuration, edit/replace possible sensitive data and post it here.
Some experienced members in firewall rules may then be able to give you some advice.
Use this post as a guide on how to create the export and post it:
viewtopic.php?t=203686#p1051720

Remove your "DDoS" rules, they are likely the cause of the problem. Make sure you have blackhole / unreachable routes for private subnets and aren't allowing traffic from the internet to the router.

Thanks all, here's my entire config including the few lines pertaining to the DDOS stuff.
Would super appreciate anyone knowledgeable who's willing to take a look.
# mar/14/2024 01:04:14 by RouterOS 6.47.9
# software id =
#
# model = RB1100x4
# serial number =
/interface bridge
add fast-forward=no name=bridge1 priority=0x2000
/interface ethernet
set [ find default-name=ether1 ] name="ether1_Spectrum WAN" speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] name=ether3_SolplexSE speed=100Mbps
set [ find default-name=ether4 ] name=ether4_PossiblyBadPort speed=100Mbps
set [ find default-name=ether5 ] name=ether5_SolPlexNW speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] name=ether7_Community speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] name=ether10_Lukas speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.175
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1d name=\
dhcp1
/queue type
add kind=pcq name=pcq-download-fastest pcq-classifier=dst-address pcq-rate=\
100M pcq-total-limit=5000KiB
set 6 pcq-rate=10M pcq-total-limit=5000KiB
set 7 pcq-rate=35M pcq-total-limit=5000KiB
/queue simple
add dst="ether1_Spectrum WAN" max-limit=24M/500M name=EveryoneElse queue=\
pcq-upload-default/pcq-download-default target=bridge1
add dst="ether1_Spectrum WAN" max-limit=20M/100M name=UnifiController parent=\
EveryoneElse target=10.0.0.250/32
add dst="ether1_Spectrum WAN" max-limit=20M/100M name=AttilaDesktop parent=\
EveryoneElse target=10.0.0.251/32
add dst="ether1_Spectrum WAN" max-limit=15M/200M name=Lukas parent=\
EveryoneElse target=10.0.0.252/32
add disabled=yes dst="ether1_Spectrum WAN" max-limit=15M/90M name=\
"Speed boost for this IP" parent=EveryoneElse target=10.0.0.175/32
/system logging action
set 0 memory-lines=2000
set 1 disk-file-count=10
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge filter
add action=drop chain=input disabled=yes in-bridge=bridge1 log=yes \
src-mac-address=5/FF:FF:FF:FF:FF:FF
add action=drop chain=input disabled=yes dst-mac-address=\
/FF:FF:FF:FF:FF:FF log=yes src-mac-address=\
/FF:FF:FF:FF:FF:FF
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3_SolplexSE
add bridge=bridge1 interface=ether4_PossiblyBadPort
add bridge=bridge1 interface=ether5_SolPlexNW
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7_Community
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10_Lukas
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface="ether1_Spectrum WAN" list=WAN
/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
/ip dhcp-client
add disabled=no interface="ether1_Spectrum WAN"
/ip dhcp-server alert
add disabled=no interface=bridge1 valid-server=xxxxxxxxxx
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8,x.x.x.x gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=x.x.x.x,8.8.8.8
/ip firewall address-list
add address=192.168.0.0 list="Block user"
/ip firewall filter
add action=drop chain=output disabled=yes src-address=192.168.0.0
add action=fasttrack-connection chain=forward comment="Fasttrack DNS TCP" \
disabled=yes dst-port=53 protocol=tcp src-address=10.0.0.0/24
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UDP" \
dst-port=53 protocol=udp src-address=10.0.0.0/24
add action=drop chain=input comment="DROP SSH from WAN requests" dst-port=22 \
in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=input comment="DROP webconfig from WAN requests" \
dst-port=8081 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=input comment="DROP Winbox from WAN requests" dst-port=\
8291 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=forward comment="Prevent UDP flooding attack" \
connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=input comment="Prevent outside DHCP requests" dst-port=\
53 in-interface="ether1_Spectrum WAN" protocol=udp
add action=drop chain=input comment="Prevent outside DHCP requests" dst-port=\
53 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=forward comment=\
"Drop packets from SMTP spammer address list." log=yes src-address-list=\
"SMTP spammer"
add action=drop chain=input comment="DROP INVALID CONNECTIONS" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid log-prefix=invalid
add action=accept chain=forward comment=\
"ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=\
established,related
add action=accept chain=input connection-state=established,related
add action=jump chain=input comment="ALLOW ICMP CONNECTIONS" jump-target=ICMP \
protocol=icmp
add action=jump chain=forward jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list="SMTP spammer" \
address-list-timeout=1h chain=forward comment=\
"SMTP spammer gets added to SMTP spammer address list." connection-limit=\
30,32 dst-port=25 limit=50,5:packet log=yes protocol=tcp
add action=return chain=detect-ddos comment="Prevent UDP flooding attack" \
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=detect-ddos comment="Prevent UDP flooding attack"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=detect-ddos comment="Prevent UDP flooding attack"
add action=add-src-to-address-list address-list=Blacklist \
address-list-timeout=2w chain=input comment=\
"Begin -> Port Scanners to List" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blacklist \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Blacklist \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=Blacklist \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=Blacklist \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=Blacklist \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=Blacklist \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Blacklist \
address-list-timeout=10h chain=input comment=\
"Begin > SSH Attacks to List" connection-state=new dst-port=22 protocol=\
tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,4,dst-address/1m dst-port=21 protocol=tcp
add action=add-dst-to-address-list address-list=Blacklist \
address-list-timeout=3h chain=output comment=\
"Add FTP Brute Force Attack to List" content="530 Login incorrect" \
dst-port=21 protocol=tcp
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=\
WAN
add action=jump chain=forward comment="Prevent UDP flooding attack" \
connection-state=new jump-target=detect-ddos
add action=accept chain=ICMP comment="ICMP Rules - 0:0 and limit for 5pac/s" \
icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=\
3:3 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=\
3:4 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=\
8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" \
icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat
/ip firewall raw
add action=drop chain=prerouting comment=\
"Block all 192.168.x.x. on the network, hopefully " src-address=\
192.168.0.0/16
add action=drop chain=prerouting comment="drop blacklist" src-address-list=\
Blacklist
add action=drop chain=prerouting dst-port=8080 in-interface-list=WAN \
protocol=tcp
add action=drop chain=prerouting comment="drop DNS attempts from WAN" \
dst-port=53 in-interface-list=WAN protocol=udp
add action=jump chain=prerouting comment="detect broadcasts" \
dst-address-type=broadcast in-interface=bridge1 jump-target=broadcast
add action=accept chain=broadcast comment="allow dhcp" dst-address-type="" \
dst-port=67 in-interface=bridge1 protocol=udp
add action=drop chain=broadcast comment="drop netbios" dst-address-type="" \
dst-port=137,138 in-interface=bridge1 protocol=udp
add action=drop chain=broadcast comment="drop dropbox sync" dst-address-type=\
"" dst-port=17500 in-interface=bridge1 protocol=udp
add action=drop chain=broadcast comment="drop broadcasts" dst-address-type=\
broadcast in-interface=bridge1
/ip route
add disabled=yes distance=1 gateway=x.x.x.x
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24 port=8081
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=xxx
/system identity
set name=xxx
/system logging
set 0 action=disk topics=info,!dhcp
set 1 action=disk
set 2 action=disk
set 3 action=disk
/system package update
set channel=long-term
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool netwatch
add down-script=":log info \"Internet Down\"" host=x.x.x.x interval=5s \
up-script=":log info \"Internet Up\""

It would be much better to find out where this rogue device has plugged in. You have a serious vulnerability right now. Lucky they only do DNS requests now.

Thank you, sorry I don't fully understand, do you mean like a virus/malware infected client on the network?
And maybe also a bad firewall configuration?
Thank,
Dan