I have a 433ah at my BTS and 411 in client end. The customer is using a Netgear Router WG614 for his internal network to share internet. The WAN IP i have given to him is 10.10.1.240. The connection stops when 12-13 users get connected to the WG614 router. I have firewall configured on 433ah and 411 as per the Mikrotik Wiki to protect customers. There is no video streaming just simple mails and net surfing. Internet Speed used is 512 kbps. I checked for Connection in the firewall and found that the IP 10.10.1.240 was hitting continuously on almost every port between 1076 - 4293 in the Source Address and in the Destination Address it was 65.254.50.194:80 for all the source ports. There were like 500+ connections like this in the firewall connections of both the 433ah and 411.
Can some one suggest me what the problem can be and how to solve it.
Firewall Rules/Connections
You do not have the required permissions to view the files attached to this post.
Re: Firewall Rules/Connections
That's some guy _really_ trying to load a webpage from that server.
Find him and use 'netstat' to figure out which process on his computer is causing that traffic.
Find him and use 'netstat' to figure out which process on his computer is causing that traffic.
Re: Firewall Rules/Connections
65.254.50.194 probably belongs to some hosting service which hosts the website for this clients. All the users on thie Netgear WG614 are accessing mails and replying them or doing stuff related to this site. I had a CPE placed at the customer end b4 but they were not able to make attachments even 40.0kb in size therefore i replaced it with 411. The situation improved a bit but the problem more or less remain the same. Do i haveto run "netstat" on every single user computer connecting to wg614 router?
Re: Firewall Rules/Connections
The idea was to locate the machine carrying that IP address and use either netstat or some other process explorer to figure out which process (application) on the machine is tied to the ports making those connections to that web server.
Re: Firewall Rules/Connections
10.10.1.240 is on WAN Port of the Router.
-
-
drnitinarora
newbie
- Posts: 32
- Joined:
Re: Firewall Rules/Connections
Hello All!!
I am also stuck with this firewall with the same issue. My firewall config are:
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
add chain=input connection-state=established action=accept comment="Allow Established connections"
add chain=input protocol=icmp action=accept comment="Allow ICMP"
add chain=input src-address=!193.126.126.0/24 action=accept in-interface=!ether1
add chain=input action=drop comment="Drop everything else"
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 protocol=tcp action=drop
add chain=forward dst-address=224.0.0.0/3 protocol=udp port=5355 action=drop
add chain=forward dst-address=224.0.0.0/3 protocol=igmp action=drop
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=445 action=drop comment="deny cifs"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
In all Mikrotiks, with "Bridge IP firewall turned on"
"Bridge protocol STP"
My network Setup All links physically working fine since more than 1 year! Firewall rules added 1 month ago
PROBLEM 1:
I cannot access MIkrotiks using IP address with Firewall Turned on, Only accessible via MAC.
Problem 2:
Whn I check TCPdump on my servers I do not see any UDP Flooding.
Whn using TORCH on Mt, I see lot of flooding on port 137, 138 and 445. There are 1000s of Connections in the connection list, THOSE FROM SERVER2 IPs also in MT CONNECTED only to server1
PROBLEM 3:
Backbone link With cisco Router shows Throughput of 11 Mbps+ whn using alone.
Tx/Rx= -57/-59dB
TX/Rx CCQ= 92-99%/85-99%
On connecting with servers,.......During day everything goes well, concurrent users online Server1->75 to 100, server2-> upto 75.......During Night problem starts.........concurrent users online Server1->25-50, server2->125-250,
Backbone link shows very very high latency and throughput drops to 1-2 Mbps only.
Tx/Rx= -57/-59dB
TX/Rx CCQ= 30-50%/20-30%
Disconnecting server 2, everything goes well.
More Than 5000 connections seen in connection list of Backbone link MTs., Tx/Rx= -57/-59dB
TX/Rx CCQ= 92-99%/85-99%.
Connections from WAN IP of SERVER 1 & 2,,,,,,also LAN IPs of Server2.
How come so many connections seen when firewall turned on????? why is backbone link failing????
PLEASE HELP
I am also stuck with this firewall with the same issue. My firewall config are:
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
add chain=input connection-state=established action=accept comment="Allow Established connections"
add chain=input protocol=icmp action=accept comment="Allow ICMP"
add chain=input src-address=!193.126.126.0/24 action=accept in-interface=!ether1
add chain=input action=drop comment="Drop everything else"
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 protocol=tcp action=drop
add chain=forward dst-address=224.0.0.0/3 protocol=udp port=5355 action=drop
add chain=forward dst-address=224.0.0.0/3 protocol=igmp action=drop
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=445 action=drop comment="deny cifs"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
In all Mikrotiks, with "Bridge IP firewall turned on"
"Bridge protocol STP"
My network Setup All links physically working fine since more than 1 year! Firewall rules added 1 month ago
PROBLEM 1:
I cannot access MIkrotiks using IP address with Firewall Turned on, Only accessible via MAC.
Problem 2:
Whn I check TCPdump on my servers I do not see any UDP Flooding.
Whn using TORCH on Mt, I see lot of flooding on port 137, 138 and 445. There are 1000s of Connections in the connection list, THOSE FROM SERVER2 IPs also in MT CONNECTED only to server1
PROBLEM 3:
Backbone link With cisco Router shows Throughput of 11 Mbps+ whn using alone.
Tx/Rx= -57/-59dB
TX/Rx CCQ= 92-99%/85-99%
On connecting with servers,.......During day everything goes well, concurrent users online Server1->75 to 100, server2-> upto 75.......During Night problem starts.........concurrent users online Server1->25-50, server2->125-250,
Backbone link shows very very high latency and throughput drops to 1-2 Mbps only.
Tx/Rx= -57/-59dB
TX/Rx CCQ= 30-50%/20-30%
Disconnecting server 2, everything goes well.
More Than 5000 connections seen in connection list of Backbone link MTs., Tx/Rx= -57/-59dB
TX/Rx CCQ= 92-99%/85-99%.
Connections from WAN IP of SERVER 1 & 2,,,,,,also LAN IPs of Server2.
How come so many connections seen when firewall turned on????? why is backbone link failing????
PLEASE HELP
You do not have the required permissions to view the files attached to this post.
-
-
ciphercore
Member Candidate
- Posts: 155
- Joined:
Re: Firewall Rules/Connections
I think I know why he wanted to get there so bad.
Try pinging : mail.russian-porno-portal.com
I am guessing it is malware related
EDIT: Pretty much 100% it is malware.
it looks like the IP has had a few interesting names.
flashvideodownloader.org
naked-women-blog.com
4browser.com
Try pinging : mail.russian-porno-portal.com
Code: Select all
ping mail.russian-porno-portal.com
Pinging mail.russian-porno-portal.com [65.254.50.194] with 32 bytes of data:
Reply from 65.254.50.194: bytes=32 time=44ms TTL=52
Reply from 65.254.50.194: bytes=32 time=42ms TTL=52
Reply from 65.254.50.194: bytes=32 time=41ms TTL=52I am guessing it is malware related
EDIT: Pretty much 100% it is malware.
it looks like the IP has had a few interesting names.
flashvideodownloader.org
naked-women-blog.com
4browser.com
Re: Firewall Rules/Connections
i have discovered flashvideodownloader running in the log of the router. i thought it might be just any application.
but i had tried blocking the site flashvideodownloader.org. How did it still hit on the mikrotik? the requests should not have gone beyong netgear.
CAn some one explain to me what is the difference between bloacking the source ports and the destination ports. What would be the implications of blocking same source ports as the destination ports on my firewall
but i had tried blocking the site flashvideodownloader.org. How did it still hit on the mikrotik? the requests should not have gone beyong netgear.
CAn some one explain to me what is the difference between bloacking the source ports and the destination ports. What would be the implications of blocking same source ports as the destination ports on my firewall