Community discussions

MikroTik App
 
SL4Y3R1989
just joined
Topic Author
Posts: 6
Joined: Thu Mar 23, 2017 11:34 am
Location: South Africa
Contact:

Filtering Malicious Traffic

Fri Jan 11, 2019 1:00 pm

Good day.

i just want to open a discussion around the evolving of filtering malicious traffic and how to drop or minimize the traffic inside your network before it breaks out.

ive been doing some research around this topic and not getting any solid solution. we are basically getting blacklist everyday where we have to allocate a new public src nat ip for breakout.

this is influencing our services that we provide to our customers as an isp.

im really open for discussion on how we can go forward in not being blocked so many times.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22207
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filtering Malicious Traffic

Fri Jan 11, 2019 2:38 pm

Sounds like education of clients is probably the most important part of a way forward.
Without knowing the root causes of being blacklisted its hard to point in the right direction other than perhaps you may need some fancy layer 7 work??
 
SL4Y3R1989
just joined
Topic Author
Posts: 6
Joined: Thu Mar 23, 2017 11:34 am
Location: South Africa
Contact:

Re: Filtering Malicious Traffic

Fri Jan 11, 2019 3:05 pm

im truly open for anything that can work to minimize most malicious traffic on our network.

when you refer to fancy layer 7, please could you suggest what can be done with layer 7?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Filtering Malicious Traffic

Fri Jan 11, 2019 3:12 pm

How about an "abuse policy"? action -> reaction
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Filtering Malicious Traffic

Sat Jan 12, 2019 12:36 am

It really depends on the nature of the malicious traffic that is landing you on blacklists. My guess is it is mail since that's most prevalent. If it is, you could drop all outbound port 25, 465, and 587 from your clients and make them relay mail through your internal mail server. Once you have the outbound mail, you can scan it as you wish to try to eliminate malicious email and other responses such as informing your infected users.

You could implement any of a number of packet/traffic inspection applications, such as perhaps security-onion.com, ipfire.org, pfsense, Snort, and others (I don't endorse any of these, they're just in my list of things to play with some day).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22207
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Filtering Malicious Traffic

Sat Jan 12, 2019 3:05 am

I would certainly recommend trying a service that is decent at blocking crap from getting in......
Its effective and costs pennies and worth a shot to see if it helps in any way, developed by one of our posters for his clients ........ (do a trial)
viewtopic.php?t=137632

However if you have money to burn you could look at this alternative (if the first one above doesn't pan out at all)
https://axiomcyber.com/shield/
 
SL4Y3R1989
just joined
Topic Author
Posts: 6
Joined: Thu Mar 23, 2017 11:34 am
Location: South Africa
Contact:

Re: Filtering Malicious Traffic

Mon Jan 14, 2019 12:12 pm

thanks for all the help.

i have updated some of our rules regarding the mail ports so let see if it works.

will keep you updated regarding MOAB and the other site that was suggested.