Community discussions

MikroTik App
 
zaqik
newbie
Topic Author
Posts: 30
Joined: Mon Apr 13, 2020 5:31 pm

Filter rule by connection state "time wait"

Wed Aug 10, 2022 12:01 pm

Hi! I'm troubleshooting one thing and I need to create a rule to add a specific IP to the list according to amount of TIME_WAIT connections it creates per minute. Please, suggest me something.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Filter rule by connection state "time wait"

Wed Aug 10, 2022 12:59 pm

Sorry if I write something obvious, I don't know your level of knowledge.

TIME_WAIT is not a flag in a packet like SYN, ACK, FIN, ...; it is a protocol state that follows a regular termination of the session, i.e. both the client and the server send their FIN packets. So the firewall cannot match on TIME_WAIT directly; it can only match on FIN from one side (unless you'd implement a complicated state automaton). But my qualified guess is that you don't need precision, as you are just hunting for a misbehaving device (or application) somewhere, so matching on FIN in only one direction is probably sufficient. And I'll go even further - in order that a session could gracefully terminate (FIN>, FIN<), it must begin first. So unless that misbehaving device gradually opens many sessions during a long time, and then gracefully terminates them all within a short time period, it might be equally good to track just the number of sessions initiated, rather than terminated, per minute? I have a good reason to suggest this - matching on FIN rather than SYN requires a suboptimal firewall configuration and may even be incompatible with fasttracking (but I've never tried that so I may be wrong here), whereas matching on SYN requires just a minor modification of the optimal firewall setup where "accept established, related, or untracked" is the only rule most packets ever reach. So depending on the capacity of your device, matching on FIN might severely affect routing performance.

So I'd first try to use something like
/ip firewall filter
add chain=catch-him dst-limit=10/1m,0,src-address action=return
add chain=catch-him action=add-src-to-address-list address-list=misbehaving
add chain=forward protocol=tcp action=jump jump-target=catch-him


The last rule has to be placed right below the "accept established, related, untracked" and "drop invalid" ones in filter chain forward, because at that place, only packets matching connection-state=new (which, in TCP, means SYN,!ACK ones) remain - all other ones have been matched by one of the two rules before. This is true for the default SOHO firewall setup and no IPsec in use.

(the more details you provide in a question, the better response you can get).
 
zaqik
newbie
Topic Author
Posts: 30
Joined: Mon Apr 13, 2020 5:31 pm

Re: Filter rule by connection state "time wait"

Wed Aug 10, 2022 5:49 pm

sindy, thank you for the reply. Nothing is obvious in my situation, so actually it's a great piece of information. As I've got from the internet, TIME_WAIT means my device closed the connection and doesn't care for any FIN from the remote side. Watching the Connection tab at Winbox I found strange that some IPs has many TIME_WAITs to the same remote IP addresses again and again. I mean identically looking TIME_WAITs frequently pop up in the connection list.
hunting for a misbehaving device (or application) somewhere
Something made my external IP banned on every Cloudfront (Amazon) hosted web-site. I don't know exact conditions to get ban though. So it's just my guess it originates from my network and eagers for AWS sites. It's hard to explain when you go blind on the whole thing. That's why I posted story short.
then gracefully terminates them all within a short time period, it might be equally good to track just the number of sessions initiated
Probably. My guess was to separate legit AWS-hosted site's access from the strange ones, looked to me like TIME_WAIT bursts.
dst-limit=10/1m,0,src-address
Interesting. dst-limit is like connection-limit, but dynamic and limited in time? I will check the rule set as soon as get how jump and return works. Yes, my knowledge level isn't high ;D
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Filter rule by connection state "time wait"

Wed Aug 10, 2022 6:04 pm

Interesting. dst-limit is like connection-limit, but dynamic and limited in time?
yes, plus you can specify what is the differentiator/selector (i.e. which header field of the packets is used to select the bucket/counter).

I will check the rule set as soon as get how jump and return works.
jump should actually be named call, because if the packet passes through the whole invoked chain (indicated by jump-target) without matching any rule that would provide a final verdict (accept or drop, or passthrough=no), its processing returns back to the invoking chain. And action=return just skips the rest of the invoked chain.

This slightly complex construct is only necessary because dst-limit matches when the packet rate is below the limit, and you want to note down addresses of packets that exceed the limit; I didn't know you were interested in the LAN->WAN direction where typically no restrictions exist. So in this special case, you could just accept "new" TCP packets that are below the limit, and add to address list those which get past this dst-limit rule, in chain forward itself, rather than "outsourcing" this same sequence of rules to a dedicated chain.

Who is online

Users browsing this forum: Bing [Bot] and 66 guests