Community discussions

 
wfuzatto
newbie
Topic Author
Posts: 29
Joined: Wed Dec 28, 2016 3:46 am

Hotspot Attack ( high CPU use )

Sun Sep 03, 2017 2:33 am

Hello everyone,

This system is running a hotspot, sometimes an user shows up and the CPU goes to 100%. I've tried to search what's going on and i'm stuck at this.
The only thing I know is the user does not authenticate and start to send/receive this packets.

Any ideas? A script / firewall to block this?

Image
 
R1CH
Forum Veteran
Forum Veteran
Posts: 896
Joined: Sun Oct 01, 2006 11:44 pm

Re: Hotspot Attack ( high CPU use )

Sun Sep 03, 2017 11:17 pm

If 100kbps of traffic causes 100% CPU use you have much bigger problems...

Use Tools / Profile to find out where the CPU is spent.
 
wfuzatto
newbie
Topic Author
Posts: 29
Joined: Wed Dec 28, 2016 3:46 am

Re: Hotspot Attack ( high CPU use )

Wed Sep 06, 2017 2:03 am

Hi R1CH,
Thanks for your reply.

Everytime this happens I block the MAC in Hotspot > IP-Binginds.

So it happened again today and here are some informations:
Image
Image

Sometimes it does not take 100% CPU use, just around 15-25% ( only for this IP tasks ).
I've noticed that it happens with Android phones, and appears that it's trying to reach Google IP's.
 
karwos
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Thu Apr 02, 2015 7:28 pm
Location: Poland

Re: Hotspot Attack ( high CPU use )

Thu Sep 07, 2017 2:34 am

Hi R1CH,
Thanks for your reply.

Everytime this happens I block the MAC in Hotspot > IP-Binginds.

So it happened again today and here are some informations:
Image
Image

Sometimes it does not take 100% CPU use, just around 15-25% ( only for this IP tasks ).
I've noticed that it happens with Android phones, and appears that it's trying to reach Google IP's.

Add this rules
/ip firewall filter
add action=accept chain=pre-hs-input comment="Limit https unauth " \
connection-state=new disabled=no dst-limit=1,1,src-address/1m40s dst-port=\
64875 protocol=tcp
add action=reject chain=pre-hs-input connection-state=new disabled=no dst-port=\
64875 protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=pre-hs-input comment="limit http unauth" \
connection-state=new disabled=no dst-limit=1,1,src-address/1m40s dst-port=\
64874 protocol=tcp
add action=reject chain=pre-hs-input connection-state=new disabled=no dst-port=\
64874 protocol=tcp reject-with=icmp-admin-prohibited


It will cap http/https auth request, and CPU usage will back to normal.
5.x compatible, not sure if 6.x will need some syntax changes.

Position this rules on top of others pre-hs-inpit rules
 
wfuzatto
newbie
Topic Author
Posts: 29
Joined: Wed Dec 28, 2016 3:46 am

Re: Hotspot Attack ( high CPU use )

Thu Sep 07, 2017 5:41 am

Hi karwos,

I've tested on 6.x, it worked as it seems to be.

As soon this problem happen again I'll test this rules and post a reply here.
Thanks!
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Re: Hotspot Attack ( high CPU use )

Thu Sep 07, 2017 10:08 am

i tested the above rules with hotspot login page.
when i click rapidly (F5) refresh in chrome at login page i can see that mikrotik cpu usage was 20-30%. the above rules didnt filter this.
when i was rapidly pressing a bookmark http link (http://www.imdb.com) at chrome the cpu usage was normal 5-10%. above rules was filtering my attempt.
 
paulct
Member Candidate
Member Candidate
Posts: 295
Joined: Fri Jul 12, 2013 5:38 pm

Re: Hotspot Attack ( high CPU use )

Thu Sep 07, 2017 10:58 am

Why are you running a hotspot on a switch? The switch should have limited firewall rules. All the natting and hotspot functionality should be on a router.
 
karwos
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Thu Apr 02, 2015 7:28 pm
Location: Poland

Re: Hotspot Attack ( high CPU use )

Thu Sep 07, 2017 12:09 pm

i tested the above rules with hotspot login page.
when i click rapidly (F5) refresh in chrome at login page i can see that mikrotik cpu usage was 20-30%. the above rules didnt filter this.
when i was rapidly pressing a bookmark http link (http://www.imdb.com) at chrome the cpu usage was normal 5-10%. above rules was filtering my attempt.
This rules was written for 5.x and well tested.
I remember there was some diffrence in time counting in 5.x not remember now.
Though, yiu can check rule counters, and see which rule didn't hit the request ( did you moved these rules on top if chain ? (
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Re: Hotspot Attack ( high CPU use )

Thu Sep 07, 2017 1:23 pm

yes i moved them at top.
the rules are working when you make multiple requests to login to hotspot. eg when you try to open a set of mupltiple bookmarks at once or when you click various bookmarks too fast.
thanx for this rule set.
 
wfuzatto
newbie
Topic Author
Posts: 29
Joined: Wed Dec 28, 2016 3:46 am

Re: Hotspot Attack ( high CPU use )

Fri Sep 08, 2017 9:32 am

Hi paulct,

This is a work-in-progress system to control hotspot use and integration with hotel programs.
So I'm testing in various types of RouterOS based systems, such as CRS's, RB's and CCR's.
This problem showed up ( until now ) on CRS's site.

You can see more here:
user: trial
pass: trial
http://prodatastelecom.com.br/sites/mikrotik/airspot/

Who is online

Users browsing this forum: No registered users and 10 guests