I have a rule like so to catch people scanning our subnets
XXX.XXX.XXX.XXX = an unused IP on our customer subnet.
1 ;;; HONEYPOT
chain=forward action=add-src-to-address-list dst-address=XXX.XXX.XXX.XXX src-address-list=!WHITELIST address-list=@SCANNER
address-list-timeout=8h in-interface=WAN1 log=no log-prefix=""
Does anyone have any theories why Google's DNS server 8.8.8.8 found it's way on there yesterday and if I should be concerned about other false positives or simply whitelist google's DNS as I have done.
Re: Honeypot for port scanners picks up google DNS
Why you not ask directly on the original post where you find the rule?I have a rule like so to catch people scanning our subnets
XXX.XXX.XXX.XXX = an unused IP on our customer subnet.
1 ;;; HONEYPOT
chain=forward action=add-src-to-address-list dst-address=XXX.XXX.XXX.XXX src-address-list=!WHITELIST address-list=@SCANNER
address-list-timeout=8h in-interface=WAN1 log=no log-prefix=""
Does anyone have any theories why Google's DNS server 8.8.8.8 found it's way on there yesterday and if I should be concerned about other false positives or simply whitelist google's DNS as I have done.
http://forum.mikrotik.com/viewtopic.php ... ER#p480275
The "safe_address_list", or what you have called "WHITELIST", exist for this reason.
False positive can happen, like any other methods, but what other services go to @SCANNER list for error?
I understand the 8.8.8.8 and 8.8.4.4 IPs: google use it's own IP to crawl for indexing the Internet,
but I have created that rule and I'm using it for months and google DNS IPs never go to that list.
You put 8h timeout on the address list entry, my timeout is: when routerboard is rebooted....
But you are fully secure than your dst-address is really unused?
The IP do not have any related DNS name?
What other IP are added to @SCANNER list for error?
Last edited by rextended on Mon May 04, 2015 4:45 am, edited 3 times in total.
Re: Honeypot for port scanners picks up google DNS
Sorry I forgot where I got the rule from, thanks for replying here.Why you not ask directly on the original post where you find the rule?
viewtopic.php?f=2&t=54607&p=480275&hilit=%40SCANNER#p480275
Yes certain IP is unusedbut you are fully secure than your dst-address is really unused?
What other services go to @SCANNER list for error?
No other rules add to the @scanner list.
Re: Honeypot for port scanners picks up google DNS
You reply before I fix my replySorry I forgot where I got the rule from, thanks for replying here.Why you not ask directly on the original post where you find the rule?
viewtopic.php?f=2&t=54607&p=480275&hilit=%40SCANNER#p480275
Yes certain IP is unusedbut you are fully secure than your dst-address is really unused?
What other services go to @SCANNER list for error?
No other rules add to the @scanner list.
))[...]
but I have created that rule and I'm using it for months and google DNS IPs never go to that list.
You put 8h timeout on the address list entry, my timeout is: when routerboard is rebooted....
[...]
The IP do not have any related DNS name?
[...]
What other IP are added to @SCANNER list for error?
Re: Honeypot for port scanners picks up google DNS
The entire subnet has a reverse DNS lookup set for it but that is all.
You reply before I fix my reply
[...]
but I have created that rule and I'm using it for months and google DNS IPs never go to that list.
You put 8h timeout on the address list entry, my timeout is: when routerboard is rebooted....
[...]
The IP do not have any related DNS name?
[...]
What other IP are added to @SCANNER list for error?
There are quite a large number of other IPs added to the list but from what I have checked most seem to be correctly added as a lot are from China and US (we are in Australia) and they look suspicious to me.
I have changed the IP now and cleared the list as I found I had possibly used the IP I was using in the past but not currently, I had a route for the subnet in my router which I have now removed.
Fingers crossed it will only catch the bad guys now
Thanks for your advice
Re: Honeypot for port scanners picks up google DNS
After some month, that are the biggest and recursive scanner:The entire subnet has a reverse DNS lookup set for it but that is all.
You reply before I fix my reply
[...]
but I have created that rule and I'm using it for months and google DNS IPs never go to that list.
You put 8h timeout on the address list entry, my timeout is: when routerboard is rebooted....
[...]
The IP do not have any related DNS name?
[...]
What other IP are added to @SCANNER list for error?
There are quite a large number of other IPs added to the list but from what I have checked most seem to be correctly added as a lot are from China and US (we are in Australia) and they look suspicious to me.
I have changed the IP now and cleared the list as I found I had possibly used the IP I was using in the past but not currently, I had a route for the subnet in my router which I have now removed.
Fingers crossed it will only catch the bad guys now
Thanks for your advice
43.255.190.0/24 (all the IP on this subnet)
104.128.64.0/22 near the 80% of all address on this block
58.218.204.0/24 ~90%
74.82.47.0/24 ~70%
76.164.x.0/24 ~50% (x = some distinct subnets)
222.186.21.0/24 ~50%
222.186.134.0/24 ~50%
Realtime: (last 10 seconds):
0 D @SCANNER 85.206.54.80
1 D @SCANNER 222.188.2.7
2 D @SCANNER 167.114.100.106
3 D @SCANNER 186.176.195.146
4 D @SCANNER 104.128.67.250
5 D @SCANNER 68.64.161.74
6 D @SCANNER 121.121.82.54
7 D @SCANNER 203.84.246.238
8 D @SCANNER 115.236.24.74
9 D @SCANNER 104.243.133.250
10 D @SCANNER 104.128.66.67
11 D @SCANNER 2.104.215.110
12 D @SCANNER 49.50.26.56
13 D @SCANNER 37.220.9.144
14 D @SCANNER 200.11.92.170
15 D @SCANNER 212.68.45.125
16 D @SCANNER 196.29.168.46
17 D @SCANNER 209.141.53.217
18 D @SCANNER 81.218.186.136
19 D @SCANNER 94.26.36.39
20 D @SCANNER 181.225.130.139
21 D @SCANNER 114.33.218.42
22 D @SCANNER 213.123.180.119
23 D @SCANNER 86.98.10.215
24 D @SCANNER 149.156.104.36
25 D @SCANNER 190.208.57.74
26 D @SCANNER 104.128.66.88
27 D @SCANNER 212.109.137.113
28 D @SCANNER 207.71.46.245
29 D @SCANNER 94.77.192.146
30 D @SCANNER 193.68.217.70
31 D @SCANNER 84.53.201.115
32 D @SCANNER 61.160.247.34
33 D @SCANNER 211.21.120.91
34 D @SCANNER 46.19.139.238
35 D @SCANNER 104.128.66.208
36 D @SCANNER 220.133.11.252
37 D @SCANNER 195.154.60.254
38 D @SCANNER 74.114.149.247
39 D @SCANNER 209.94.198.74
40 D @SCANNER 168.176.97.10
41 D @SCANNER 208.66.75.225
42 D @SCANNER 88.201.27.209
43 D @SCANNER 104.225.137.96
44 D @SCANNER 115.239.248.2
45 D @SCANNER 45.63.124.24
46 D @SCANNER 201.234.22.52
47 D @SCANNER 104.225.137.2
48 D @SCANNER 76.164.209.138
49 D @SCANNER 65.122.25.2
50 D @SCANNER 188.11.170.24
51 D @SCANNER 86.28.240.245
52 D @SCANNER 208.111.180.79
53 D @SCANNER 212.72.132.250
54 D @SCANNER 185.33.32.36
55 D @SCANNER 202.21.116.162
56 D @SCANNER 208.64.30.49
57 D @SCANNER 104.128.66.134
58 D @SCANNER 104.128.65.243
59 D @SCANNER 171.221.248.124
60 D @SCANNER 117.21.176.64
61 D @SCANNER 104.128.67.103
62 D @SCANNER 104.225.136.198
63 D @SCANNER 79.58.94.102
64 D @SCANNER 81.17.18.41
65 D @SCANNER 77.237.88.140
66 D @SCANNER 180.225.203.220
67 D @SCANNER 104.128.66.123
68 D @SCANNER 212.70.131.66
69 D @SCANNER 186.90.184.115
70 D @SCANNER 104.128.65.170
71 D @SCANNER 216.99.115.251
72 D @SCANNER 104.128.67.123
73 D @SCANNER 98.102.77.67
74 D @SCANNER 216.70.140.4
75 D @SCANNER 115.28.17.55
76 D @SCANNER 66.186.188.227
77 D @SCANNER 60.247.14.11
78 D @SCANNER 195.93.181.79
79 D @SCANNER 76.164.217.179
80 D @SCANNER 95.128.247.182
81 D @SCANNER 76.164.217.167
82 D @SCANNER 5.79.69.35
83 D @SCANNER 93.95.186.87
84 D @SCANNER 186.22.241.18
85 D @SCANNER 187.237.44.145
86 D @SCANNER 196.41.47.20
87 D @SCANNER 80.234.43.26
88 D @SCANNER 223.30.2.126
89 D @SCANNER 218.208.47.226
90 D @SCANNER 93.64.30.190
91 D @SCANNER 124.205.236.50
92 D @SCANNER 80.82.78.27
93 D @SCANNER 76.164.208.30
94 D @SCANNER 84.22.55.26
95 D @SCANNER 104.128.67.229
96 D @SCANNER 199.227.144.93
97 D @SCANNER 217.118.185.2
98 D @SCANNER 208.66.78.31
99 D @SCANNER 46.173.175.142
100 D @SCANNER 188.204.67.230
101 D @SCANNER 61.76.181.76
102 D @SCANNER 46.143.233.2
103 D @SCANNER 104.128.66.75
104 D @SCANNER 61.166.110.62
105 D @SCANNER 194.51.145.91
106 D @SCANNER 80.82.70.230
107 D @SCANNER 61.219.149.68
108 D @SCANNER 84.194.100.66
109 D @SCANNER 61.33.249.75
110 D @SCANNER 189.204.16.240
111 D @SCANNER 208.66.75.223
112 D @SCANNER 76.164.217.170
113 D @SCANNER 89.215.198.157
114 D @SCANNER 189.34.217.201
115 D @SCANNER 195.94.176.6
116 D @SCANNER 121.190.41.92
117 D @SCANNER 217.153.203.90
118 D @SCANNER 104.128.67.243
119 D @SCANNER 222.186.34.235
120 D @SCANNER 212.29.199.162
121 D @SCANNER 104.225.136.185
122 D @SCANNER 213.181.59.45
123 D @SCANNER 195.24.140.19
124 D @SCANNER 77.95.230.38
125 D @SCANNER 95.42.159.130
126 D @SCANNER 217.26.115.26
127 D @SCANNER 187.56.48.213
128 D @SCANNER 195.62.228.141
129 D @SCANNER 218.58.188.197
130 D @SCANNER 89.144.129.14
131 D @SCANNER 202.69.33.151
132 D @SCANNER 104.225.136.233
133 D @SCANNER 27.118.30.11
134 D @SCANNER 113.189.226.158
135 D @SCANNER 198.46.135.126
136 D @SCANNER 185.2.151.76
137 D @SCANNER 59.48.240.242
138 D @SCANNER 200.127.154.194
139 D @SCANNER 87.97.245.244
140 D @SCANNER 189.2.29.130
141 D @SCANNER 65.175.108.5
142 D @SCANNER 218.94.113.98
143 D @SCANNER 104.128.65.75
144 D @SCANNER 104.128.65.105
145 D @SCANNER 64.90.169.87
146 D @SCANNER 178.19.110.35
147 D @SCANNER 180.244.61.91
148 D @SCANNER 211.20.205.194
149 D @SCANNER 163.47.138.87
150 D @SCANNER 104.225.136.201
151 D @SCANNER 104.225.137.35
152 D @SCANNER 81.17.19.144
153 D @SCANNER 199.116.118.24
154 D @SCANNER 104.128.66.240
155 D @SCANNER 80.94.115.138
156 D @SCANNER 104.128.66.91
157 D @SCANNER 91.227.188.37
158 D @SCANNER 104.128.66.206
159 D @SCANNER 103.21.210.34
160 D @SCANNER 104.225.136.251
161 D @SCANNER 104.128.67.106
162 D @SCANNER 104.128.65.155
163 D @SCANNER 104.128.65.161
164 D @SCANNER 104.225.136.226
165 D @SCANNER 208.66.78.43
166 D @SCANNER 83.142.226.125
167 D @SCANNER 104.128.65.239
168 D @SCANNER 187.33.53.196
169 D @SCANNER 190.204.63.210
170 D @SCANNER 208.28.243.7
171 D @SCANNER 188.200.209.226
172 D @SCANNER 104.128.67.16
173 D @SCANNER 176.53.18.106
174 D @SCANNER 80.71.161.85
175 D @SCANNER 201.234.228.221
176 D @SCANNER 187.63.167.12
177 D @SCANNER 198.24.214.114
178 D @SCANNER 69.199.133.100
179 D @SCANNER 220.191.185.11
180 D @SCANNER 125.75.128.186
181 D @SCANNER 104.128.65.238
182 D @SCANNER 104.128.67.125
183 D @SCANNER 188.143.232.51
184 D @SCANNER 92.54.140.86
185 D @SCANNER 104.128.65.232
186 D @SCANNER 187.75.227.27
187 D @SCANNER 72.90.220.115
188 D @SCANNER 122.224.142.250
189 D @SCANNER 104.128.66.6
190 D @SCANNER 180.43.108.176
191 D @SCANNER 82.190.245.203
192 D @SCANNER 122.0.1.62
193 D @SCANNER 87.25.152.31
194 D @SCANNER 208.98.22.66
195 D @SCANNER 97.68.206.16
196 D @SCANNER 216.14.189.37
197 D @SCANNER 76.164.209.130
198 D @SCANNER 104.128.67.223
199 D @SCANNER 104.225.136.217
200 D @SCANNER 104.128.67.201
201 D @SCANNER 104.128.66.135
202 D @SCANNER 76.171.215.228
203 D @SCANNER 141.255.166.9
204 D @SCANNER 111.26.200.95
205 D @SCANNER 104.128.67.203
206 D @SCANNER 191.7.194.82
207 D @SCANNER 220.128.122.110
208 D @SCANNER 202.134.18.105
209 D @SCANNER 125.227.120.74
210 D @SCANNER 119.93.65.207
211 D @SCANNER 61.221.247.219
212 D @SCANNER 104.128.67.60
213 D @SCANNER 60.249.23.235
214 D @SCANNER 208.66.75.224
215 D @SCANNER 187.168.220.115