What native functions in RouterOS support sending pipelined HTTP requests at these kind of rates? I find it unlikely that the attackers are simply proxying their DDoS traffic through infected Mikrotik devices - why not attack the target directly if they have that much bandwidth available? Especially as they do not know the upstream bandwidth or CPU power of the infected device, not all the proxied traffic is likely to make it out so it would actually reduce the power of their attack. This doesn't make sense.There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration.
I also have seen themStarting today I see a new flood of random GRE traffic on the internet, not sure if it is caused by this botnet or if it is just coincidence.
It appears to consist of GRE packets with random addresses both outside and inside, and with a UDP payload with random portnumbers and 512 bytes of random data.
yes, it would be helpful for Mikrotik to make a video that explains their default firewall and to let new users know that they should ignore 98% of the crap on youtube and to go to the forum to get advice when changing the default firewall rules. Concur the netinsall process is a tad convoluted and any way to make it more intuitive or easier would be appreciated.Based on my experience installing MOAB for many users .. 100% had very poor firewall security measures due to ignorance and or lack of diligence ... once a router has been compromised the ONLY recourse is to netinstall and manually configure ... MikroTik should make the Netinstall procedure much more transparent [much easier to use] since many get confused by the procedures needed. The DEFAULT firewall currently provided by MikroTik is an excellent starting point ... unfortunately many ignore it.
As stated in the first post:And how to check router against Meris malware? Are there any tips how to check and fix? Is there official cure realise?
That 63K has also been been resolved see last posting in the mentioned tread. Import can as large till the router runs out of storage space.
Speaking of the latter point: keeping up to date IP lists is harder than it needs to be. For example, MikroTik script limits file access to 4 kilobytes, and while there is a workaround to load IP lists up to 63K, it leaves little room for growth if your IP lists have comments. Is there a better way coming in new RouterOS? :) [/url].
You're starting to write like a troll.That's arguing semantics.
There is indeed a delay between the read chunks. The script already cut away the first line and a part of the last lines so that there are clean lines to be imported.Hahahahaha, I love the HTTP Range header hack! But I think you will agree that it is brittle: it is not guaranteed that the server won't change the file in between your 64K chunk requests and make the internal state of your script inconsistent.
@msatterEdit: the script has been adapted to detect changes in file-size during import. It will retry a set number of times and then give an warning on failure that the user has check if the list is still being maintained.
Reading the a list was no problem and using the delimiter allows that IP addresses and IP addresses with range are imported. I did not found it slow on importing and RouterOS will sort the lists. I assume that is done on the moment it is being displayed and in stages.Cybercrime IP Feeds by FireHOL exploits HUNDREDS of lists ... IMO its the most comprehensive system built which is why I use them for MOAB.
The code you have been working on would benefit the MikroTik community greatly [and put MOAB out of business] if you adapted the code to exploits the lists that FireHOL produces -- the only caveat being that there is a significant number of duplicate IP's when merging the lists plus the numeric sequence is important to improve performance -- if the numeric sequence is random the insertion takes longer.
Hello Jotne,This shows number of hits on my router on port 8291 Winbox, last 4 month. It only counts one IP for each user a day, since all who tries to access a non open port are blocked for 24 hours. There has been no increase of traffic.
It even comes without password! Like almost all MikroTik devices, the admin password is empty on first run. So when it was connected before the password was set, it was quite easy to hack it!CCR comes without any default configuration and that includes firewall.
Here you go:Hello Jotne,
would you mind share your script on how to "block the outside IP for 24hrs if they tries to access your non-open port " ? I think it is a good way to prevent those attacks.
Thanks again !
# Establish proper interface list membership
/interface list member
add list=LAN interface=bridge comment="defconf"
add list=WAN interface=ether1 comment="defconf"
# block access to router's IP and IPv6 services originated not through one of LAN interfaces
# This includes also management access: telnet, ssh and winbox
/ip firewall filter
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
/ipv6 firewall filter
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
# allow discovery (MNDP) only on LAN interfaces
/ip neighbor discovery-settings
set discover-interface-list=LAN
# allow MAC services (telnet and winbox) only through LAN interfaces
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
As I got my first ever mikrotik device (a cute little R750Gr3) that I bought to serve as Multiwan Load Balancing and Fail over for my network I dared start fresh with no default settings. Just a beautiful blank canvas.There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration.
It is sad, that someone removed default configuration (if it wasn't you on the first boot), as default configuration provide basic firewall that prevents from 99% attacks. I suggest to put at least basic firewall, that could be tuned later (do not forget to set password on your router),As I got my first ever mikrotik device (a cute little R750Gr3) that I bought to serve as Multiwan Load Balancing and Fail over for my network I dared start fresh with no default settings. Just a beautiful blank canvas.There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration.
I should have known better! I got hit immediately with a script to fetch a file and open several ports for socks. I can say that socks (pun intended) but it was so much fun! Since I was just configuring it and I was looking frequently at what changes happened in "export" I noticed rather quickly that there was a new command I didn't issue and proceded to secure it before proceding any further.
I am loving this devices! Now I have 12 mikrotik devices and so much new things to try.
I looked at the script and found out it was common for rookies (like myself) to connect a router with no password or an unsafe password and get it 'hijacked'.
Thanks for the information, the support, the devices, and so much flexibility. I am so sad I didn't find this devices earlier in my life.
That's true. But what's the other 1% on the WAN side?It is sad, that someone removed default configuration (if it wasn't you on the first boot), as default configuration provide basic firewall that prevents from 99% attacks.Thanks for the information, the support, the devices, and so much flexibility. I am so sad I didn't find this devices earlier in my life.
I think this is actually Avast. uninstall Avast and see if the issue goes away.Appreciate any clues on what to clean up on the computers causing this in the Mikrotik logs. I've run avast, avast boot scan, malwarebytes, and spybot and not found anything.
It's the Avast wifi scan doing this... Comes with the free version of Avast. Appreciate everyone's help and thankful it's not botnet.I think this is actually Avast. uninstall Avast and see if the issue goes away.Appreciate any clues on what to clean up on the computers causing this in the Mikrotik logs. I've run avast, avast boot scan, malwarebytes, and spybot and not found anything.
I think it is the "Avast Network Scan" module
This is not a MikroTik problem, it is an AVAST problem. You need to write to AVAST to have them solve it.Seeing exact behaviour on my PC. Hope the mikrotik problem solves asap.
Sounds illegal, I don't think MikroTik can legitimately access or control other peoples devices.Contemplating on this subject - wouldn't it be a nice idea for MT or someone outside to create a script, that runs over all public ip's and builds a list of vulnerable MT routers (or get that list from those cocky "investigators" that are publishing stories about Mikrotik), then a second script that goes over these vulnerable IP's, adds a rule to reset to defaults after some hours and runs auto upgrade. That should take care of the problem, but probably make MT upgrade server feel some pain. If you are reaching for keyboard to write something about legality of forcefully upgrading OS or changing settings to defaults - don't! One evil company from Redmond is doing that for maaaaany years and is quite fine and in our case it it serves good, not evil purpose.
They do not know your IP ... they are testing every address which is valid. Your router is one from millions "victims" beeing tested against possible vulnerabilities. Check this https://www.abuseipdb.com/....The question is, how do they know my router from hundreds of millions of IPs around the world and log in remotely within a few minutes?....
+1 physically remove and replace/netinstall.I know that the better solution is to reset the router or netinstall new firmware but the problem is that im too far from the device (thousands of miles) and no one have access there. Could you please advise me what can I do in such case?