Page 1 of 1
Block MAC Address's Attacker
Posted: Fri Oct 27, 2017 4:34 pm
by rodrigobenta
Hi friends, a few days ago you solved me a problem very effectively.
Now i think i have a similar one, that "disgusting" attacker.. he's driving me crazy.
Via log in mikrotik i detected de mac address of the attacker.. and i'm blocking the ip's he uses.. but i want to block directly the mac address to not receive anymore..
any idea how can i do that?
Re: Block MAC Address's Attacker [SOLVED]
Posted: Fri Oct 27, 2017 4:50 pm
by cdiedrich
/interface bridge filter
add chain=forward src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop
add chain=input src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop
-Chris
Re: Block MAC Address's Attacker
Posted: Fri Oct 27, 2017 4:53 pm
by BartoszP
There is no way to stop reciving packets so you cannot prevent yourself from beeing attacked. You can just ignore/drop/reject them.
To specify particular MAC you need to just specify it in the rule .. example:
chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH1-WAN dst-port=53 src-mac-address=11:22:33:44:55:66
instead of
chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH1-WAN dst-port=53
Re: Block MAC Address's Attacker
Posted: Fri Oct 27, 2017 5:20 pm
by rodrigobenta
/interface bridge filter
add chain=forward src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop
add chain=input src-mac-address=00:01:23:45:67:89 in-bridge=yourbridge action=drop
-Chris
Chris, im trying this. thank you so much for your fast answer!
Best for you.
Re: Block MAC Address's Attacker
Posted: Fri Oct 27, 2017 5:22 pm
by rodrigobenta
There is no way to stop reciving packets so you cannot prevent yourself from beeing attacked. You can just ignore/drop/reject them.
To specify particular MAC you need to just specify it in the rule .. example:
chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH1-WAN dst-port=53 src-mac-address=11:22:33:44:55:66
instead of
chain=input action=reject reject-with=icmp-host-unreachable protocol=udp in-interface=ETH1-WAN dst-port=53
ok i will mark this information..
if an attacker is ddos my server via port 443, cause i have a web page.. my log page is going to get full of the mac address of attacker... ??
thank you
Re: Block MAC Address's Attacker
Posted: Fri Oct 27, 2017 7:51 pm
by Feklar
Depends on where you are logging the information, and how your network is setup. MAC addresses are layer2 information and do not pass a layer3 hop. So if your web server is not on the same LAN segment as the user, the web server will never see the MAC address, just the IP address the connection requests are coming from. Web servers also do not log MAC addresses, as they are layer7 concepts (applications), and will only log an IP address of a connection.
If you are logging MAC addresses at the router level where this user is connected from, then yes you can see his MAC, and log his connections. Keep in mind however that changing/spoofing one's MAC address is very easy to do, so blocking someone's MAC address will only really stop a casual attacker. Anyone else, it will only very minimally slow them down. Also if you do know the MAC address of the user, you should be able to track them back to a specific AP or switch port assuming you are using managed equipment. This once again depends on your network setup, and the hardware that you have.
Re: Block MAC Address's Attacker
Posted: Fri Oct 27, 2017 9:26 pm
by rodrigobenta
Depends on where you are logging the information, and how your network is setup. MAC addresses are layer2 information and do not pass a layer3 hop. So if your web server is not on the same LAN segment as the user, the web server will never see the MAC address, just the IP address the connection requests are coming from. Web servers also do not log MAC addresses, as they are layer7 concepts (applications), and will only log an IP address of a connection.
If you are logging MAC addresses at the router level where this user is connected from, then yes you can see his MAC, and log his connections. Keep in mind however that changing/spoofing one's MAC address is very easy to do, so blocking someone's MAC address will only really stop a casual attacker. Anyone else, it will only very minimally slow them down. Also if you do know the MAC address of the user, you should be able to track them back to a specific AP or switch port assuming you are using managed equipment. This once again depends on your network setup, and the hardware that you have.
ok, i will have to be continuosly monitoring this mf. jaja
last thing i have to do.. i have to open port 443 in mikrotik to see a web page in my windows server.. how can i do that? thank you so much.
Re: Block MAC Address's Attacker
Posted: Sun Oct 29, 2017 6:42 pm
by BartoszP
Oh boy ... again?
Have you checked forum for that?
search.php?keywords=open+port
Have you checked wiki for that?
https://wiki.mikrotik.com/wiki/Manual:I ... forwarding
Re: Block MAC Address's Attacker
Posted: Mon Oct 30, 2017 2:08 pm
by rodrigobenta
OK, i read it.
Sorry man, im worried, cause i'm having constant attacks via 3389 and 443, the only opened ports, and i don't know how to stop them.
I'm adding manually ips to a blacklist but it's a bit tiring.
thanks for your reply
Re: Block MAC Address's Attacker
Posted: Mon Oct 30, 2017 2:13 pm
by BartoszP
"Open" port e.g. 43389 and forward it to 3389 in LAN.
Re: Block MAC Address's Attacker
Posted: Mon Oct 30, 2017 4:20 pm
by rodrigobenta
"Open" port e.g. 43389 and forward it to 3389 in LAN.
GREAT idea! you are my guru men jaja.
is there a way to count how many access per minute are allowed to enter to my page? everything to avoid attacks to my web page...
Re: Block MAC Address's Attacker
Posted: Mon Oct 30, 2017 4:28 pm
by cdiedrich
Add this to your dst-nat rule:
dst-limit=25,40,src-address/1m
This limits a single src-address (i.e. the IP the request for your webserver came from) to 25 new connections per second, burstable to 40 (which might quickly happen when you're running a GUI packed with graphics and CSS). The timeout is one minute - meaning that a connection is held for one minute before a new connection can be made.
Try to adjust the values that it makes sense for you and does give your regular vistors a hard time.
-Chris
Re: Block MAC Address's Attacker
Posted: Mon Oct 30, 2017 4:51 pm
by rodrigobenta
Add this to your dst-nat rule:
dst-limit=25,40,src-address/1m
This limits a single src-address (i.e. the IP the request for your webserver came from) to 25 new connections per second, burstable to 40 (which might quickly happen when you're running a GUI packed with graphics and CSS). The timeout is one minute - meaning that a connection is held for one minute before a new connection can be made.
Try to adjust the values that it makes sense for you and does give your regular vistors a hard time.
-Chris
very clear information. You are helping me so much guys. I really apreciate your time. Sorry about bad english, im from uruguay, a little country, and we speak spanish.
Re: Block MAC Address's Attacker
Posted: Mon Oct 30, 2017 5:46 pm
by BartoszP
No problem,
I am frm Poland, not much bigger than Uruguay and we speak Polish
![Smile :-)](./images/smilies/icon_smile.gif)
Re: Block MAC Address's Attacker
Posted: Mon Oct 30, 2017 6:40 pm
by rodrigobenta
No problem,
I am frm Poland, not much bigger than Uruguay and we speak Polish
![Smile :-)](./images/smilies/icon_smile.gif)
oh nice! may be at this time of year it's a bit cold, isn't it? jaja
also, do you know why i can not enter to web page from my local network, but if i try from another place i enter without any problems?