Protect router against attack

shielder · Sat Mar 04, 2006 5:45 pm

Hi, recently my mikrotik router has many undesired packet passing through. I have found that most of the are ICMP packet (between 2kbps - 12 kbps), so i decided to block the destination IP. Is there any way to protect our router from this kind of "attack". Or maybe someone would like to share their experience in handling "attack" from outside so all of us could discuss this further.

Regards,
Lim

Gotmoh · Sun Mar 05, 2006 1:00 pm

Just block input icmp packets from sources. You can use address list to pass only from accepted places.

mag · Sun Mar 05, 2006 3:56 pm

don't block ICMP completly, e.g. MTU-Path Discovery is ICMP-based.
At the demo-system there are some rules concerning ICMP.

oriondotnet · Sun Mar 05, 2006 4:29 pm

Anyone kindly enough to share how to block imcp attack ?

vklimovs · Sun Mar 05, 2006 6:25 pm

/ip firewall filter
add chain=input connection-state=invalid action=drop comment="drop invalid \
    connections" disabled=no 
add chain=input protocol=tcp psd=10,3s,3,1 action=drop comment="drop possible \
    port scans" disabled=no 
add chain=input protocol=udp dst-port=137-139 action=drop comment="deny \
    NETBIOS services" disabled=no 
add chain=input protocol=udp dst-port=161 action=accept comment="allow SNMP \
    connections" disabled=no 
add chain=input protocol=tcp dst-port=2000 action=accept comment="allow \
    bandwidth test TCP connections" disabled=no 
add chain=input protocol=udp action=accept comment="allow UDP protocol" \
    disabled=no 
add chain=input protocol=tcp dst-port=21 action=accept comment="allow FTP \
    access" disabled=no 
add chain=input protocol=tcp dst-port=22 action=accept comment="allow SSH \
    access" disabled=no 
add chain=input protocol=tcp dst-port=80 action=accept comment="allow HTTP \
    access" disabled=no 
add chain=input protocol=tcp dst-port=8291 action=accept comment="allow Winbox \
    access" disabled=no 
add chain=input protocol=tcp dst-port=1723 action=accept comment="allow PPTP \
    access" disabled=no 
add chain=input connection-state=established action=accept comment="accept \
    estalished connections" disabled=no 
add chain=input connection-state=related action=accept comment="accept related \
    connections" disabled=no 
add chain=input protocol=icmp icmp-options=8:0 action=accept \
    comment="allow ICMP echo request" disabled=no 
add chain=forward in-interface=Local out-interface=Global action=drop \
    comment="" disabled=no 
add chain=input protocol=icmp icmp-options=3:4 action=accept comment="allow \
    ICMP Fragmentation Needed" disabled=no 
add chain=input action=log log-prefix="" comment="log everything else" \
    disabled=yes 
add chain=input action=drop comment="drop everything else" disabled=yes

Note, that you still have to enable last rules to achieve any effect. I posted them as disabled due to security reasons. Of course, you can substitute input chain with any other, including forward. If you don't use some services like SNMP or PPTP just disable or even delete appropriate rules.

mag · Sun Mar 05, 2006 7:42 pm

http://demo.mt.lv/

sten · Mon Mar 06, 2006 12:55 pm

Hi, recently my mikrotik router has many undesired packet passing through. I have found that most of the are ICMP packet (between 2kbps - 12 kbps), so i decided to block the destination IP. Is there any way to protect our router from this kind of "attack". Or maybe someone would like to share their experience in handling "attack" from outside so all of us could discuss this further.

Regards,
Lim

It's usually not an attack, but if you analyze them you'll discover problems in your network that you didn't even know about.

Protect router against attack

Protect router against attack

Re: Protect router against attack