Community discussions

MikroTik App
 
Tomek11
just joined
Topic Author
Posts: 1
Joined: Fri Sep 16, 2022 8:52 am

Possible attack

Fri Sep 16, 2022 9:24 am

Hello!

Every day I have a killing ike in the log on my router from the 169.228.69.212 IP address and a research-scan@sysnet.ucsd.edu domain.
Basically It's a school in San Diego.

Has anyone encountered this problem?
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Possible attack

Fri Sep 16, 2022 12:07 pm

What is the reported problem?
 
gonzo2022
just joined
Posts: 2
Joined: Sun Oct 02, 2022 7:57 pm

Re: Possible attack

Sun Oct 02, 2022 8:05 pm

Hello,

I have the same problem from ip 169.228.66.212. Firewall error: identity not found for peer: RFC822: research-scan@sysnet.ucsd.edu.
It try to connect on port 500. The problem is that I cannot block this IP in the firewall :(
 
User avatar
depth0cert
just joined
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: Possible attack

Sat Oct 08, 2022 2:29 pm

Has anyone encountered this problem?
05:16:09 ipsec,error identity not found for peer: RFC822: research-scan@sysnet.ucsd.edu
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Possible attack

Sat Oct 08, 2022 2:32 pm

If you cannot block that port then block offending IP in Filter RAW without any logging.
 
gonzo2022
just joined
Posts: 2
Joined: Sun Oct 02, 2022 7:57 pm

Re: Possible attack

Tue Oct 18, 2022 11:48 am

If you cannot block that port then block offending IP in Filter RAW without any logging.

Blocking through the filter raw works ok.
Thank you for the advice,
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 167
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: Possible attack

Sat Nov 12, 2022 9:58 pm

 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: Possible attack

Sun Nov 13, 2022 2:38 am

Why not add that domain or IP to an address list and dump it at the top of the firewall?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11382
Joined: Thu Mar 03, 2016 10:23 pm

Re: Possible attack

Sun Nov 13, 2022 10:31 am

Performance-wise it should either be done in raw (to skip connection tracking machinery for those packets) or right after "accept established,related" rule(s) to skip evaluation of that rule for each and every packet passing firewall.

Who is online

Users browsing this forum: miks and 70 guests