Added 2021-07-06:
compared from 2014 version i have added a lot more things
I am not done, I add more when I have time.
WORK IN PROGRESS
I appreciate any suggestions, and also positive comments, if any...
Thanks BartoszP, I actualize the rules when I can
viewtopic.php?f=9&t=83387#p482224
************************************************
When you set on firewall one rule like the default:
you really not block any malicious connection or packet.add action=drop connection-state=invalid
The drop invalid rule simply drop any package or connection if are not finded any match on "connection tracking".
The following rules block all forged or incorrect packages, instead.
This rule are based on how the TCP and UDP packages must be written to be valid on RFC rules.
Any comment like "UDP Port 0 are used with some load balancers" we do not matter, do not follow the RFC rules and not used from MikroTik.
boen_robot explain more:
viewtopic.php?f=9&t=83387&p=417864#p460244
That rules must be set on "/firewall raw", on this way do not interfere how regular default "/firewall filter" works.
Warning: those rules do not replace, but must be used at least with default "/firewall filter" rules.
Code: Select all
/ip firewall raw
add action=drop chain=prerouting comment="TCP invalid combination of flags attack (7 rules)" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" protocol=udp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=udp
Again thanks to boen_robot for explain:
viewtopic.php?f=9&t=83387&p=417380#p467921
SYN fragmented attack
Code: Select all
/ip firewall raw
add action=drop chain=prerouting comment="SYN fragmented attack" fragment=yes protocol=tcp tcp-flags=syn
Protected Zone (protect against Teardrop Attack and others)
Some type of attacks use IP packet fragmentation.
Some packet fragmentation can be wanted or needed.
For create "Protected Zones" from IP Fragmented Attack, use one or both of this
Create one interface list of protected Interfaces:
Code: Select all
/interface list
add name=fragment_protected_interface
/ip firewall raw
add action=drop chain=prerouting comment="Fragment attack Interface Protection" fragment=yes in-interface-list=fragment_protected_interface
Create one address list of protected IPs:
Code: Select all
/ip firewall address-list
add address=2.3.4.5 list=fragment_protected_IP
/ip firewall raw
add action=drop chain=prerouting comment="Fragment attack IP Protection" fragment=yes dst-address-list=fragment_protected_IP
IP Options attacks
Attack made with normally unused (or misused) IPv4 flag options.
Code: Select all
/ip firewall raw
add action=drop chain=prerouting comment="IP option loose-source-routing" ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=timestamp
add action=drop chain=prerouting comment="IP options left, except IP Stream used by the IGMP protocol" ipv4-options=any protocol=!igmp
IP Spoofing (prevent LAND Attack and others)
All ISPs should do this and 95% of DDoS attacks wouldn't exist ...
The default configuration have two interface list for WAN and for LAN:
Code: Select all
/interface list
add name=WAN
add name=LAN
Defining one or more IP list of IP used on LOCAL side of network (can be also Public IPs):
Code: Select all
/ip firewall address-list
add address=192.168.88.0/24 list=IP_used_on_LAN
We do not expect Internal IP incoming from WAN or from Internal LAN incoming other IP than the IP_used_on_LAN
Code: Select all
/ip firewall raw
add action=drop chain=prerouting comment="IP Spoofing protection from WAN" in-interface-list=WAN src-address-list=IP_used_on_LAN
add action=drop chain=prerouting comment="IP Spoofing protection from LAN" in-interface-list=LAN src-address-list=!IP_used_on_LAN \
src-address=!0.0.0.0 dst-address=!255.255.255.255
Unused Protocol
Removing unassigned protocol is not feasible easily, because on protocol filed accept only one number, not interval
The protocol from 144 to 255 are unassigned https://www.iana.org/assignments/protoc ... bers.xhtml
But on real use not all 144 protocols are used, for example on 95% of cases only 1 ICMP, 6 TCP and 17 UDP.
We can not set a rule like drop protocol=144-255 because is unsupported, we can accept all used, and drop the others.
This rules must be put at THE END!!!
Code: Select all
/ip firewall raw
add action=accept chain=prerouting protocol=icmp
add action=accept chain=prerouting protocol=igmp
add action=accept chain=prerouting protocol=tcp
add action=accept chain=prerouting protocol=udp
add action=accept chain=prerouting protocol=gre
add action=log chain=prerouting log-prefix="Not TCP protocol" protocol=!tcp
add action=drop chain=prerouting comment="Unused protocol protection" disabled=yes protocol=!tcp
Accept pass to next /firewall filter section, do not accept directly the packet.
New TCP connection without SYN
New TCP connection must start with packet with SYN flag
If the SYN on first packet are not present, is an attack or scan for sure...
Each rule must go first on /ip firewall filter on respective input and forward section, do not work on raw, because need connection-tracking for work.
Code: Select all
/ip firewall filter
add action=drop chain=input connection-state=new protocol=tcp tcp-flags=!syn comment="TCP non SYN scan attack input"
add action=drop chain=forward connection-state=new protocol=tcp tcp-flags=!syn comment="TCP non SYN scan attack forward"
If anyone find a bug, please report.
Thanks.