Community discussions

MikroTik App
 
redscience
just joined
Topic Author
Posts: 5
Joined: Tue Feb 23, 2021 10:16 am

too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Tue Feb 23, 2021 11:20 am

I have too many packets in MikroTik that receiving per second with same len and different IP and port, and I checked firewall and configuration and apparently everything is true!
I attached packets log image here,

Please guide me about this problem
Last edited by redscience on Tue Feb 23, 2021 8:40 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Tue Feb 23, 2021 1:36 pm

Someone is trying to use your Mikrotik as a DDoS traffic generator. Why they have chosen your public IP and whether they actually succeed is the question. If your Mikrotik does respond to DNS queries coming in via WAN, it means it can be used as a "smurf amplifier".

The attacker sends a small DNS query known to have a large response, and it forges the IP address and port of the victim as the source address of the request. Your router resolves the request and sends the response "back", which actually means it sends a large packet to the victim's address and port.

These attacks typically only continue if the attacker has found out that the DNS queries from WAN side do get responded, so chances are high that your firewall rules are wrong or missing completely.

Consider posting the export of your configuration, anonymized as per the hint in my automatic signature below.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11442
Joined: Thu Mar 03, 2016 10:23 pm

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Tue Feb 23, 2021 1:37 pm

It's about DNS service (UDP port 53) and should be blocked for internet connections. Default firewall blocks it already. It's not clear if these log lines are from a drop rule (which is then fine and you should stop logging it) or they are from accept rule which means you allowed those connections. If you didn't mean it (because you're not running DNS service for e.g. own public domain), then your firewall needs improvements. If you meant it, then stop logging the rule.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Tue Feb 23, 2021 3:04 pm

OP:

Just a word of warning, your public IP is visible on those screenshots, let me know if I am close :-)

EDIT: IP Removed
Last edited by CZFan on Mon Mar 01, 2021 4:39 pm, edited 1 time in total.
 
redscience
just joined
Topic Author
Posts: 5
Joined: Tue Feb 23, 2021 10:16 am

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Tue Feb 23, 2021 8:41 pm

OP:

Just a word of warning, your public IP is visible on those screenshots, let me know if I am close :-)
yes. I cleared Images, please edit your post

thanks in advanced
 
redscience
just joined
Topic Author
Posts: 5
Joined: Tue Feb 23, 2021 10:16 am

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Tue Feb 23, 2021 8:47 pm

now at all, what is the lions of mikrotik suggestions to improve my firewall roles to block this occurrence
Last edited by redscience on Tue Feb 23, 2021 8:52 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Tue Feb 23, 2021 8:49 pm

How can we suggest any "improvement" if you haven't shown the current rules?
 
redscience
just joined
Topic Author
Posts: 5
Joined: Tue Feb 23, 2021 10:16 am

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Tue Feb 23, 2021 8:53 pm

How can we suggest any "improvement" if you haven't shown the current rules?
which one of roles that you mean?

( I will show you in a few min later some of related roles )
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Tue Feb 23, 2021 8:58 pm

/ip firewall export
/ip dns export
 
redscience
just joined
Topic Author
Posts: 5
Joined: Tue Feb 23, 2021 10:16 am

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Wed Feb 24, 2021 9:59 am

/ip dns export
/ip firewall export
uploaded image
https://ibb.co/BVVbQtK


/ip dns export
# feb/24/2021 07:47:59 by RouterOS
# software id = ***
#
#
#

/ip firewall export
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Drop ICMP Ping" protocol=icmp
add action=drop chain=forward icmp-options=3:3 protocol=icmp
add action=drop chain=input protocol=icmp src-address-list=!Local
add action=accept chain=output comment="Drop Brute Force" content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=Blacklist address-list-timeout=23h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input dst-port=22 protocol=tcp src-address-list=Blacklist
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="Drop Virus Port" dst-port=40016 protocol=udp
add action=drop chain=virus dst-port=135-139 protocol=udp
. DROP SOME OF PORTS
.
.
add action=drop chain=input dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=virus comment="Drop Spammer" dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d chain=virus comment="add to spammer list" connection-limit=30,32 dst-port=25 limit=10,5:packet \
protocol=tcp src-address-list=!smtpOK
add action=drop chain=virus comment="SMTP SPAM stopper!" dst-port=25 protocol=tcp src-address-list=!smtpOK
add action=drop chain=input comment="Drop 53 DoS attack" dst-port=53 protocol=tcp src-address-list=spammer
add action=drop chain=virus comment="Drop 80 DoS attack" dst-port=80 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=2d chain=virus comment="Drop 80 DoS attack" connection-limit=40,32 dst-port=80 limit=20,5:packet \
protocol=tcp src-address-list=!smtpOK
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=add-src-to-address-list address-list=knock address-list-timeout=15s chain=input comment="fw rules start here" dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=15m chain=input dst-port=7331 protocol=tcp src-address-list=knock
add action=accept chain=input comment="accept established connection packets" connection-state=established
add action=accept chain=input comment="Allow access to router from known network" src-address-list=safe
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input
add action=add-src-to-address-list address-list=knock address-list-timeout=15s chain=input comment="fw rules start here" dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=15m chain=input dst-port=7331 protocol=tcp src-address-list=knock
add action=accept chain=input comment="accept established connection packets" connection-state=established
add action=accept chain=input comment="Allow access to router from known network" src-address-list=safe
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=log chain=input log-prefix=Filter:
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=services comment="allow MACwinbox " dst-port=20561 protocol=udp
add action=accept chain=services comment=winbox dst-port=8219 protocol=tcp
add action=accept chain=services comment=Telnet dst-port=23 protocol=tcp
add action=accept chain=services comment="SSH for secure shell" dst-port=22 protocol=tcp
add action=accept chain=services comment="Bandwidth server" dst-port=2000 protocol=tcp
add action=accept chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=udp
add action=accept chain=services comment=uTorrent dst-port=53658 protocol=tcp
add action=accept chain=services dst-port=53658 protocol=udp
add action=accept chain=services comment="allow SNMP" dst-port=161 protocol=tcp
add action=accept chain=services comment="Allow BGP" dst-port=179 protocol=tcp
add action=accept chain=services comment="Allow PPTP" dst-port=1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" protocol=gre
add action=accept chain=services comment=UPnP dst-port=1900 protocol=udp
add action=accept chain=services comment=UPnP dst-port=2828 protocol=tcp
add action=accept chain=services comment="allow DHCP" dst-port=67-68 protocol=udp
add action=accept chain=services comment="DC++ TLS 13336" dst-port=13336 protocol=tcp
add action=accept chain=services comment="DC++ TCP 19030" dst-port=19030 protocol=tcp
add action=accept chain=services comment="DC++ UDP 12620" dst-port=12620 protocol=udp
add action=accept chain=services comment="allow Web Proxy" dst-port=8080 protocol=tcp
add action=accept chain=services comment="allow IPIP" protocol=ipencap
add action=accept chain=services comment="allow https for Hotspot" dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" protocol=ipsec-esp
add action=accept chain=services comment="allow IPSec" protocol=ipsec-ah
add action=accept chain=services comment="allow RIP" dst-port=520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" protocol=ospf
add action=return chain=services
add action=accept chain=input src-address=10.11.11.0/24
add action=accept chain=forward src-address=10.11.11.0/24
add action=drop chain=input comment="Drop Invalid DNS request" dst-port=53 protocol=udp
add action=drop chain=input comment="Squild Blacklist: SBL Blocklist.de." in-interface=ether1 log=yes log-prefix="BL_sbl blocklist.de" src-address-list="sbl blocklist.de"
add action=drop chain=input comment="Squild Blacklist: SBL DShield." in-interface=ether1 log=yes log-prefix="BL_sbl dshield" src-address-list="sbl dshield"
add action=drop chain=input comment="Squild Blacklist: SBL Spamhaus." in-interface=ether1 log=yes log-prefix="BL_sbl spamhaus" src-address-list="sbl spamhaus"
add action=drop chain=forward comment="Squild Blacklist: SBL Blocklist.de." dst-address-list="sbl blocklist.de" log=yes log-prefix="BL_sbl blocklist.de" out-interface=ether1
add action=drop chain=forward comment="Squild Blacklist: SBL DShield." dst-address-list="sbl dshield" log=yes log-prefix="BL_sbl dshield" out-interface=ether1
add action=drop chain=forward comment="Squild Blacklist: SBL Spamhaus." dst-address-list="sbl spamhaus" log=yes log-prefix="BL_sbl spamhaus" out-interface=ether1
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input comment="IPSEC ACCCEPT" ipsec-policy=in,ipsec src-address=12.12.12.0/24
add action=accept chain=input connection-state=established protocol=tcp src-port=9000-65535
add action=drop chain=input connection-state=invalid,related,untracked protocol=tcp src-port=9000-65535
add action=drop chain=detect-ddos connection-state=invalid,related,untracked
add action=accept chain=input connection-state=established protocol=udp src-port=9000-65535
add action=drop chain=input connection-state=invalid,related,untracked protocol=udp src-port=9000-65535
add action=drop chain=virus dst-port=161 protocol=tcp
add action=drop chain=virus dst-port=4444 protocol=tcp
add action=drop chain=virus dst-port=5672 protocol=tcp
add action=drop chain=virus dst-port=9567 protocol=tcp
add action=drop chain=virus dst-port=9344 protocol=tcp

/ip firewall nat
add action=netmap chain=srcnat log=yes src-address=10.10.10.0/24 to-addresses=IP
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=10.10.10.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.11.11.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=11.11.11.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=12.12.12.0/24

/ip firewall raw
add action=notrack chain=prerouting comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=!1,5:packet protocol=icmp
add action=drop chain=prerouting comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=!1,5:packet protocol=icmp

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

Wed Feb 24, 2021 11:28 am

  • if the IP address to which those DNS requests arrive is that router's own one, you cannot do more to mitigate that traffic - the router itself doesn't respond any UDP DNS queries coming from anywhere else than 10.11.11.0/24. It is unlikely that the source addresses of these requests belong to the actual senders, so there is also no point in notifying the respective ISPs; you'd have to track them to the real source, which means contacting every ISP on the way. Not viable.
  • if the destination IP address in question belongs to some other device, you could block that traffic in chain=forward, but whether it would be a good idea depends on the role of that machine, maybe your customer is running a public DNS on that address.

Other than that, your firewall filter deserves some tidying up:
  • most important, every single forwarded packet has to be checked against more than 10 rules, three of them matching on address-lists. So by placing an action=accept connection-state=established rule as the very first one in chain forward of /ip firewall filter, you would save quite some CPU.
  • the three spam address lists are likely to mostly overlap, so merging them into one during synchronisation with the primary source would save some memory.
  • the chain named virus is not referred to from anywhere
  • the chain named detect-ddos adds any TCP client and server to the respective address lists which are not used anywhere

Who is online

Users browsing this forum: uxertxo and 89 guests