Hi guys,, any idea that we can solve this problem without changing public ip? i already tired to filter the port 53 and drop ip filter but still happing...
High traffic
You do not have the required permissions to view the files attached to this post.
Re: High traffic
Hi,
Torch the interface and check what type of traffic is running.
How did you configure your port 53 firewall rule?
Torch the interface and check what type of traffic is running.
How did you configure your port 53 firewall rule?
I had the same problem a few days ago. Torch feature shed light on the situation for me (pun intended). Most traffic was to port 53 from the public.
When I turned off the DNS feature of the router it stopped. I then found that while tcp port 53 was closed to the public, udp port 54 wasn't.
Can someone explain what's happening with that amount of bandwidth on DNS. Is this considered an attack? Is this legitimate (innocent) DNS requests from the public? Thoughts?
Sent from my SM-G920I using Tapatalk
When I turned off the DNS feature of the router it stopped. I then found that while tcp port 53 was closed to the public, udp port 54 wasn't.
Can someone explain what's happening with that amount of bandwidth on DNS. Is this considered an attack? Is this legitimate (innocent) DNS requests from the public? Thoughts?
Sent from my SM-G920I using Tapatalk
Re: High traffic
You are a victim of the bad default firewall setup in the router, of course combined with lack of attention to details
when you configured the router.
You should always have a rule to DROP all NEW traffic incoming on your internet interfaces in the input table.
If not your internal services (like in this case your DNS resolver) will be attacked from the internet.
when you configured the router.
You should always have a rule to DROP all NEW traffic incoming on your internet interfaces in the input table.
If not your internal services (like in this case your DNS resolver) will be attacked from the internet.
Re: High traffic
So you are saying this was definitely an attack...
Also, you saying block a connection state of 'new' only?
What I did after I learned of this DNS issue, I manually added input rules from the outside for legitimate services (i.e pptp and ssh), then I ended the filter list with a deny all. Should this be deny all 'new' only?
Also, you saying block a connection state of 'new' only?
What I did after I learned of this DNS issue, I manually added input rules from the outside for legitimate services (i.e pptp and ssh), then I ended the filter list with a deny all. Should this be deny all 'new' only?
Last edited by Arcee on Tue May 17, 2016 10:26 pm, edited 1 time in total.
Re: High traffic
No when you do it like that, a deny all entry is fine.
Of course you need to allow established/related or you cannot make outgoing traffic.
Of course you need to allow established/related or you cannot make outgoing traffic.
Re: High traffic
This is called a DNS amplification attack - and you weren't the target; you were being used as a soldier in the attacker's army. The actual target of the attack is whatever the source IP addresses were in your torch scan.So you are saying this was definitely an attack...
Also, you saying block a connection state of 'new' only?
What I did after I learned of this DNS issue, I manually added input rules from the outside for legitimate services (i.e pptp and ssh), then I ended the filter list with a deny all. Should this be deny all 'new' only?
And you don't need to specify 'new' because you usually have a very early rule in the chain which allows established,related. This means that only invalid and new connection states are left by the time the router is checking any rules in the chain after that rule. You don't want either of these types anyway, so just dropping all without checking the state is slightly faster than dropping all AND checking the state.
Re: High traffic
Is the correct way or is there missing rules?And you don't need to specify 'new' because you usually have a very early rule in the chain which allows established,related. This means that only invalid and new connection states are left by the time the router is checking any rules in the chain after that rule. You don't want either of these types anyway, so just dropping all without checking the state is slightly faster than dropping all AND checking the state.
Code: Select all
;;; DNS Rule
chain=input action=drop protocol=tcp dst-port=53 log=no log-prefix=""
chain=input action=drop protocol=udp dst-port=53 log=no log-prefix="" Re: High traffic
These rules definitely work.
Probably your WAN interface doesn't have a default drop rule for it, because you shouldn't need to exclusively drop DNS traffic.
I.e. - what _else_ is reaching your router from the WAN side? ssh? webfig?
If your WAN interface is pppoe1-out (for example) then make sure there's a rule in the input chain which says:
in-interface=pppoe1-out action=drop
(drop ALL packets arriving on pppoe1-out) and make sure that this rule comes later in the input chain than any rules which allow things you want (most likely only established,related connection state)
Probably your WAN interface doesn't have a default drop rule for it, because you shouldn't need to exclusively drop DNS traffic.
I.e. - what _else_ is reaching your router from the WAN side? ssh? webfig?
If your WAN interface is pppoe1-out (for example) then make sure there's a rule in the input chain which says:
in-interface=pppoe1-out action=drop
(drop ALL packets arriving on pppoe1-out) and make sure that this rule comes later in the input chain than any rules which allow things you want (most likely only established,related connection state)
Re: High traffic
On which pages In the beginners guide is thatThese rules definitely work.
Probably your WAN interface doesn't have a default drop rule for it, because you shouldn't need to exclusively drop DNS traffic.
I.e. - what _else_ is reaching your router from the WAN side? ssh? webfig?
If your WAN interface is pppoe1-out (for example) then make sure there's a rule in the input chain which says:
in-interface=pppoe1-out action=drop
(drop ALL packets arriving on pppoe1-out) and make sure that this rule comes later in the input chain than any rules which allow things you want (most likely only established,related connection state)
I only have the http with NAT to local IP and port, DNS is only for LAN name resolution for the webserver, with iPad I cant alter hosts file, and traffic from LAN to WAN to LAN was a no go - even after I fixed the subnet brain aneurysm stuff I did
.OOTB you obviously dont have any rule and the wiki is what a wiki is, so I think RouterOS newbies as my self and other learn it the hard way, no one asked me to configure my cable modem In bridge mode and get some RB
.Yeah that rule make sense, and must admit I have worked with ISA and TMG, and your rule is what I would have used in a more "home like" environment, I dont no where my common sense has gone.
I have just added rule for DNS and Bandwith Test, you have an specific issue you search for a fix and find a fix for that particular issue, not thinking in a broader perspective - new CLI/GUI but same procedure.
Re: High traffic
There have been some discussion threads on here about the out-of-the-box configuration of the firewall and proposed changes to it.OOTB you obviously dont have any rule and the wiki is what a wiki is, so I think RouterOS newbies as my self and other learn it the hard way, no one asked me to configure my cable modem In bridge mode and get some RB
If you're using the default dhcp client, then there's a default-drop-all rule for interface ether1-gateway, which works and protects the DNS proxy from being hijacked, but unfortunately, there are many users who need to use pppoe, and the common thing is for them to go into the pppoe configuration and build the client, attach it to ether1-gateway interface, and then when it works, they're happy and never think to go look in the filter table and modify the WAN filters to use pppoe-1 as the WAN interface instead of ether1-gateway.
Worse still is the fact that it may seem valid to leave the rules set to filter on ether1-gateway, because that's what interface the pppoe is connected to, right? Wrong, because when using PPPoE, the physical ethernet interface isn't carrying the IP traffic - it's only carrying pppoe frames, so the IP filter doesn't see anything to inspect. It's the pppoe interface itself which receives the IP packets. It makes sense when you realize what's going on, but to users who haven't ever learned about OSI layers (layer2 vs layer3), this isn't obvious.
Re: High traffic
The extra half layer to layer 2If you're using the default dhcp client, then there's a default-drop-all rule for interface ether1-gateway, which works and protects the DNS proxy from being hijacked, but unfortunately, there are many users who need to use pppoe, and the common thing is for them to go into the pppoe configuration and build the client, attach it to ether1-gateway interface, and then when it works, they're happy and never think to go look in the filter table and modify the WAN filters to use pppoe-1 as the WAN interface instead of ether1-gateway.
Worse still is the fact that it may seem valid to leave the rules set to filter on ether1-gateway, because that's what interface the pppoe is connected to, right? Wrong, because when using PPPoE, the physical ethernet interface isn't carrying the IP traffic - it's only carrying pppoe frames, so the IP filter doesn't see anything to inspect. It's the pppoe interface itself which receives the IP packets. It makes sense when you realize what's going on, but to users who haven't ever learned about OSI layers (layer2 vs layer3), this isn't obvious.
I dont have pppoe connection, but in reference to your pppoe rule "allow" first then your "deny", if i go on with the quick fix solutions i will end up with multiple rules and a lot of them unnecessary.
No one told my RB about the drop rule, I have the DHCP client enable - i have dynamic IP but not more dynamic that i had the same for 2 years when cable modem was configured as router. When changing to bridge mode ISP demand re-registration, where you need to use DHCP client as 1. and 2. of the steps is done with ISP LAN subnet and different DNS servers on there LAN subnet, and off course a new WAN ip.
But there is no drop rule:
Code: Select all
0 ;;; Adgang til Router fra Interne IP
chain=input action=accept src-address-list=Interne_IP log=no log-prefix=""
1 ;;; Allow ICMP echo (ping) replies to the router
chain=input action=accept protocol=icmp src-address-list=Interne_IP icmp-options=0:0-255 log=no
log-prefix=""
2 ;;; Allow ICMP echo (ping) requests from LAN to the router
chain=input action=accept protocol=icmp src-address-list=Interne_IP icmp-options=8:0-255 log=no
log-prefix=""
3 chain=input action=drop protocol=icmp in-interface=internet icmp-options=8:0-255 log=no log-prefix=""
4 ;;; Blocked Netflix adresser TV stue
chain=forward action=drop src-address=192.168.1.201 dst-address-list=Blocked Netflix log=no
log-prefix=""
5 ;;; Adgang til swich fra WAN
chain=forward action=drop dst-address=192.168.1.254 in-interface=internet log=no log-prefix=""
6 ;;; DNS Rule
chain=input action=drop protocol=tcp dst-port=53 log=no log-prefix=""
7 chain=input action=drop protocol=udp dst-port=53 log=no log-prefix=""
8 ;;; Bandwith test
chain=input action=drop protocol=tcp dst-port=2000 log=no log-prefix=""
9 chain=input action=drop protocol=udp dst-port=2000 log=no log-prefix=""Re: High traffic
Okay - a few comments:Code: Select all0 ;;; Adgang til Router fra Interne IP chain=input action=accept src-address-list=Interne_IP log=no log-prefix="" 1 ;;; Allow ICMP echo (ping) replies to the router chain=input action=accept protocol=icmp src-address-list=Interne_IP icmp-options=0:0-255 log=no log-prefix="" 2 ;;; Allow ICMP echo (ping) requests from LAN to the router chain=input action=accept protocol=icmp src-address-list=Interne_IP icmp-options=8:0-255 log=no log-prefix="" 3 chain=input action=drop protocol=icmp in-interface=internet icmp-options=8:0-255 log=no log-prefix="" 4 ;;; Blocked Netflix adresser TV stue chain=forward action=drop src-address=192.168.1.201 dst-address-list=Blocked Netflix log=no log-prefix="" 5 ;;; Adgang til swich fra WAN chain=forward action=drop dst-address=192.168.1.254 in-interface=internet log=no log-prefix="" 6 ;;; DNS Rule chain=input action=drop protocol=tcp dst-port=53 log=no log-prefix="" 7 chain=input action=drop protocol=udp dst-port=53 log=no log-prefix="" 8 ;;; Bandwith test chain=input action=drop protocol=tcp dst-port=2000 log=no log-prefix="" 9 chain=input action=drop protocol=udp dst-port=2000 log=no log-prefix=""
Rules 1 and 2 do nothing, because rule 0 matches the same addresses and allows them to do anything....
You should add a new rule and move it to the very beginning of the input chain:
connection-state=established,related action=accept
Then add a new rule to the end of the input chain:
action=drop
(no rules - just drop)
Then you can safely disable (to test) and then remove rules 6-9
Your current set of input rules can be described as "allow all except" policy - meaning that at the end, there is no drop rule, so the default action of the filter chains is to accept.
The thing to realize about the behavior of the chains is this: rules are processed in order from top to bottom. The first rule where 100% of the criteria are matched will perform its action and stop processing the chain (unless the action is passthrough, log, jump, return, or the add-to-address-list actions). It's good practice to make the last rule in your filter chains be "drop" so that only things you explicitly permit will be allowed. This is a "deny all except" policy, and is generally the best practice for security.
Re: High traffic
Disabled my own copy paste rules.You should add a new rule and move it to the very beginning of the input chain:
connection-state=established,related action=accept
Then add a new rule to the end of the input chain:
action=drop
(no rules - just drop)
Added the two rules top and bottom, no name resolution after that DNS error in IE, but Netflix still running in living room - Big Hoss has not cried havoc.
From log on drop:0 chain=forward action=accept connection-state=established,related log=no log-prefix=""
1 ;;; Adgang til Router fra Interne IP
chain=input action=accept src-address-list=Interne_IP log=no log-prefix=""
2 ;;; Disable ICMP
chain=input action=drop protocol=icmp in-interface=internet icmp-options=8:0-255 log=no
log-prefix=""
3 ;;; Blocked Netflix adresser TV stue
chain=forward action=drop src-address=192.168.1.201 dst-address-list=Blocked Netflix log=no
log-prefix=""
4 ;;; Adgang til swich fra WAN
chain=forward action=drop dst-address=192.168.1.254 in-interface=internet log=no log-prefix=""
5 ;;; DNS Rule
chain=input action=drop protocol=tcp dst-port=53 log=no log-prefix=""
6 chain=input action=drop protocol=udp dst-port=53 log=no log-prefix=""
7 XI ;;; Bandwith test
chain=input action=drop protocol=tcp dst-port=2000 log=no log-prefix=""
8 XI chain=input action=drop protocol=udp dst-port=2000 log=no log-prefix=""
9 XI chain=forward action=drop log=no log-prefix=""
may/21 01:43:05 firewall,info forward: in:ether7 out:internet, src-mac d8:cb:8a:e6:26:f9, proto UDP, 192.168.
1.30:55013->84.200.69.80:53, len 88
may/21 01:43:05 firewall,info forward: in:ether7 out:internet, src-mac d8:cb:8a:e6:26:f9, proto UDP, 192.168.
1.30:53974->84.200.69.80:53, len 73
may/21 01:43:05 firewall,info forward: in:ether7 out:internet, src-mac d8:cb:8a:e6:26:f9, proto UDP, 192.168.
1.30:56964->84.200.69.80:53, len 59
may/21 01:43:05 firewall,info forward: in:ether7 out:internet, src-mac d8:cb:8a:e6:26:f9, proto UDP, 192.168.
1.30:54885->84.200.69.80:53, len 55
may/21 01:43:05 firewall,info forward: in:ether7 out:internet, src-mac d8:cb:8a:e6:26:f9, proto UDP, 192.168.
1.30:59130->84.200.69.80:53, len 57
...
DOH INPUT CHAIN...
Re: High traffic
With INPUT everything works [najs]:
Online scan:
Code: Select all
0 chain=input action=accept connection-state=established,related log=no log-prefix=""
1 ;;; Adgang til Router fra Interne IP
chain=input action=accept src-address-list=Interne_IP log=no log-prefix=""
2 ;;; Disable ICMP
chain=input action=drop protocol=icmp in-interface=internet icmp-options=8:0-255 log=no log-prefix=""
3 ;;; Blocked Netflix adresser TV stue
chain=forward action=drop src-address=192.168.1.201 dst-address-list=Blocked Netflix log=no log-prefix=""
4 ;;; Adgang til swich fra WAN
chain=forward action=drop dst-address=192.168.1.254 in-interface=internet log=no log-prefix=""
5 chain=input action=drop log=yes log-prefix="" Added 21 for an NAS box so its good.PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Re: High traffic
Thank you guys my problem is solve now, i just try seting back again the firewall drop port 53 on my mikotik when i try and try until its work ...
once again thank you guys....
once again thank you guys....
Who is online
Users browsing this forum: lovelifeproblem, voytecky and 14 guests