Hi friends, a few days ago you solved me a problem very effectively.
Now i think i have a similar one, that "disgusting" attacker.. he's driving me crazy.
Via log in mikrotik i detected de mac address of the attacker.. and i'm blocking the ip's he uses.. but i want to block directly the mac address to not receive anymore..

any idea how can i do that?

-Chris

There is no way to stop reciving packets so you cannot prevent yourself from beeing attacked. You can just ignore/drop/reject them.
To specify particular MAC you need to just specify it in the rule .. example: instead of

Code: Select all

/interface bridge filter
add chain=forward src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop
add chain=input src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop

-Chris

Chris, im trying this. thank you so much for your fast answer!
Best for you.

There is no way to stop reciving packets so you cannot prevent yourself from beeing attacked. You can just ignore/drop/reject them.
To specify particular MAC you need to just specify it in the rule .. example:

Code: Select all

chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH1-WAN dst-port=53 src-mac-address=11:22:33:44:55:66

instead of

Code: Select all

chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH1-WAN dst-port=53

ok i will mark this information..
if an attacker is ddos my server via port 443, cause i have a web page.. my log page is going to get full of the mac address of attacker... ??
thank you

Depends on where you are logging the information, and how your network is setup. MAC addresses are layer2 information and do not pass a layer3 hop. So if your web server is not on the same LAN segment as the user, the web server will never see the MAC address, just the IP address the connection requests are coming from. Web servers also do not log MAC addresses, as they are layer7 concepts (applications), and will only log an IP address of a connection.

If you are logging MAC addresses at the router level where this user is connected from, then yes you can see his MAC, and log his connections. Keep in mind however that changing/spoofing one's MAC address is very easy to do, so blocking someone's MAC address will only really stop a casual attacker. Anyone else, it will only very minimally slow them down. Also if you do know the MAC address of the user, you should be able to track them back to a specific AP or switch port assuming you are using managed equipment. This once again depends on your network setup, and the hardware that you have.

Depends on where you are logging the information, and how your network is setup. MAC addresses are layer2 information and do not pass a layer3 hop. So if your web server is not on the same LAN segment as the user, the web server will never see the MAC address, just the IP address the connection requests are coming from. Web servers also do not log MAC addresses, as they are layer7 concepts (applications), and will only log an IP address of a connection.

If you are logging MAC addresses at the router level where this user is connected from, then yes you can see his MAC, and log his connections. Keep in mind however that changing/spoofing one's MAC address is very easy to do, so blocking someone's MAC address will only really stop a casual attacker. Anyone else, it will only very minimally slow them down. Also if you do know the MAC address of the user, you should be able to track them back to a specific AP or switch port assuming you are using managed equipment. This once again depends on your network setup, and the hardware that you have.

ok, i will have to be continuosly monitoring this mf. jaja

last thing i have to do.. i have to open port 443 in mikrotik to see a web page in my windows server.. how can i do that? thank you so much.

Oh boy ... again?
Have you checked forum for that? search.php?keywords=open+port
Have you checked wiki for that? https://wiki.mikrotik.com/wiki/Manual:I ... forwarding

Oh boy ... again?
Have you checked forum for that? search.php?keywords=open+port
Have you checked wiki for that? https://wiki.mikrotik.com/wiki/Manual:I ... forwarding

OK, i read it.
Sorry man, im worried, cause i'm having constant attacks via 3389 and 443, the only opened ports, and i don't know how to stop them.
I'm adding manually ips to a blacklist but it's a bit tiring.
thanks for your reply

"Open" port e.g. 43389 and forward it to 3389 in LAN.

"Open" port e.g. 43389 and forward it to 3389 in LAN.

GREAT idea! you are my guru men jaja.

is there a way to count how many access per minute are allowed to enter to my page? everything to avoid attacks to my web page...

Add this to your dst-nat rule:
This limits a single src-address (i.e. the IP the request for your webserver came from) to 25 new connections per second, burstable to 40 (which might quickly happen when you're running a GUI packed with graphics and CSS). The timeout is one minute - meaning that a connection is held for one minute before a new connection can be made.
Try to adjust the values that it makes sense for you and does give your regular vistors a hard time.

-Chris

Add this to your dst-nat rule:

Code: Select all

dst-limit=25,40,src-address/1m

This limits a single src-address (i.e. the IP the request for your webserver came from) to 25 new connections per second, burstable to 40 (which might quickly happen when you're running a GUI packed with graphics and CSS). The timeout is one minute - meaning that a connection is held for one minute before a new connection can be made.
Try to adjust the values that it makes sense for you and does give your regular vistors a hard time.

-Chris

very clear information. You are helping me so much guys. I really apreciate your time. Sorry about bad english, im from uruguay, a little country, and we speak spanish.

No problem,
I am frm Poland, not much bigger than Uruguay and we speak Polish

No problem,
I am frm Poland, not much bigger than Uruguay and we speak Polish

oh nice! may be at this time of year it's a bit cold, isn't it? jaja
also, do you know why i can not enter to web page from my local network, but if i try from another place i enter without any problems?