Community discussions

MikroTik App
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

How to monitor for attacks

Wed Jan 25, 2023 1:53 pm

I've been wondering about monitoring for incoming attacked (DDOS, port scanning, etc.).

Does RouterOS have capabilities to alert an admin when under attack?

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to monitor for attacks

Wed Jan 25, 2023 2:11 pm

How many attacks have you had in your lifetime?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: How to monitor for attacks

Wed Jan 25, 2023 2:17 pm

How would he know if he doesn't know how to monitor it ? :lol:

Chicken and egg ...
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: How to monitor for attacks

Wed Jan 25, 2023 2:22 pm

I see various firewall-based solutions that drop packets from sources that have more than 32 tcp connection states of type "new"

I don't see a way to block UDP attacks.

I don't believe I am or have been under attack.

I'm just curious if monitoring for attacks is something you professionals recommend.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: How to monitor for attacks

Wed Jan 25, 2023 2:29 pm

You might want to have a look at these YouTube videos:

Bruteforce protection - MikroTik firewall rules:
https://youtu.be/UXGVQmFUfL4

Port knocking with MikroTik:
https://youtu.be/ZaWTuqIdhLM
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to monitor for attacks

Wed Jan 25, 2023 2:58 pm

I am a minimalist. If it has nothing to do with traffic that should flow I tend to shy away from it.
However there are a few things one can do, not that much.........
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: How to monitor for attacks

Wed Jan 25, 2023 3:37 pm

You might want to have a look at these YouTube videos:

Bruteforce protection - MikroTik firewall rules:
https://youtu.be/UXGVQmFUfL4

Port knocking with MikroTik:
https://youtu.be/ZaWTuqIdhLM
I only recently learned of about port knocking and it is really cool!

And that is a great video (part of a great video series).

The brute force protection suggested in the other video is cool also.

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to monitor for attacks

Wed Jan 25, 2023 3:58 pm

The port knocking is useful in terms of getting a better understanding of how the router config works and what can be done.
I use wireguard for remotely connecting to the router.
 
Josephny
Member
Member
Topic Author
Posts: 452
Joined: Tue Sep 20, 2022 12:11 am

Re: How to monitor for attacks

Wed Jan 25, 2023 4:04 pm

The port knocking is useful in terms of getting a better understanding of how the router config works and what can be done.
I use wireguard for remotely connecting to the router.
As do I, thanks in great part to your help.

And WG has been working very well across 4 MT routers and 2 Ubiquiti UDM's.

I did notice, however, that if I keep Winbox open just sitting there every now and then it will disconnect and reconnect. I wonder if the IP connectivity between sites drops for a moment and that's what's causing it, or something else.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: How to monitor for attacks

Wed Jan 25, 2023 4:06 pm

I did notice, however, that if I keep Winbox open just sitting there every now and then it will disconnect and reconnect. I wonder if the IP connectivity between sites drops for a moment and that's what's causing it, or something else.
Exactly that. Wireguard will recover (and usually Winbox too).
When running something like Azure Virtual Desktop over Wireguard, I also see it happening on unstable connections. AVD is VERY picky towards connection stability.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: How to monitor for attacks

Wed Jan 25, 2023 4:18 pm

Perhaps you should consider MOAB blocks over 600 million Bad Guys from attacking your Internet » Here's how «

Who is online

Users browsing this forum: asmman, Bing [Bot], InfraErik, lecyborg, Majestic-12 [Bot] and 51 guests