Hello,
I have a sign of infection in my netowork. The infected computers send packets to port 445, thereby consuming all my upload. my arp is set to reply-only. i disabled the arp entries of the infected systems and dropped packets to port 455. But that did not solve the problem.
How can I stop constant upload from the computers

you definitely can stop the virus - this is known MS virus.

do this:

/ip firewall rule forward
add dst-port=445 protocol=tcp action=drop
add dst-port=445 protocol=udp action=drop
add dst-port=135-139 protocol=tcp action=drop
add dst-port=135-139 protocol=udp action=drop

on all routers, the closer to infected client the better. This will stop ALL microsoft netbios based viruses. Of course, inform infected client about the infection and ask him to clear it up.

bye, mp3turbo.

If it's a wireless client, it's still going to be having a serious effect on the AP they are connected to because it's going to consume valuable bandwidth before the router gets a chance to drop the packets. Virus's, ping floods, those kinds of things can quickly cripple an AP.

At least in our case, when we find a client doing something like this, I disable their connection completely via the wireless access table and give them a call. Once they've confirmed they've found and cleaned up the infected machine, then and only then do I let them back online.

Check demo.mt.lv on firewall rules. there are a lot of rules for worms

Maxi

I am having the same issue...

the wifi link is being compromised because the packets have to travel all the way back to the router before they are dropped.

How can a cable or DSL provider not have this problem?

What is they're trick? I am not trying to become an AV salesman...

They have the problem also, they just have more of a bandwidth buffer to absorb it usually.

you are all right, I stated:

> on all routers, the closer to infected client the better.

in my post. The closer to client the better means that the best solution is on clients side before the traffic gets into the radio (of course) - this involves you have control over clients system. If they use dump APs or clients without management features, you're stuck.

Note I also said on ALL ROUTERS. Stopping the virus on your most external router is not going to help you too much, because the virus could and will run thru your network, infect next clients and eleviate the problem etc. etc.

bye, mp3turbo.

you definitely can stop the virus - this is known MS virus.

do this:

/ip firewall rule forward
add dst-port=445 protocol=tcp action=drop
add dst-port=445 protocol=udp action=drop
add dst-port=135-139 protocol=tcp action=drop
add dst-port=135-139 protocol=udp action=drop

on all routers, the closer to infected client the better. This will stop ALL microsoft netbios based viruses. Of course, inform infected client about the infection and ask him to clear it up.

bye, mp3turbo.

Thanks for the your response. I have added the firewall entry and the the spoofing still perssiteted. It there a way I can block or reduce upload to router from the infected computer.
Have a nice day.

yes, definitely - use /queue simple:

/queue simple
add name="infected-customer" target-address=a.b.c.d/32 limit-at=30000/30000 max-limit=52000/52000


this will give the customer:

a) GUARANTEED download 30000 bits/s = 30kbit/s = speed of analog modem
b) GUARANTEED upload 30000 bits/s = 30kbit/s = speed of analog modem
c) MAXIMUM download 52000 bits/s = 52kbit/s = speed of fast analog modem
d) MAXIMUM upload 52000 bits/s = 52kbit/s = speed of fast analog modem

he can have as many viruses as he can imagine, this will limit him. No questions asked, no exceptions.

Do this on router as close to customer as possible. If you limit him on your most outer router (closest to real Internet), you still give change to this infected customer to spread viruses on your network FULL SPEED.

bye, mp3turbo.

Hello,
I have a sign of infection in my netowork. The infected computers send packets to port 445, thereby consuming all my upload. my arp is set to reply-only. i disabled the arp entries of the infected systems and dropped packets to port 455. But that did not solve the problem.
How can I stop constant upload from the computers

By stopping this at the infected computer. The infected computer will keep sending as long as the gateway's mac address is in gateway arp table.
Also blocking ports tcp 135 + 445 plus udp 137-139 will block most infections to occurr in the first place. However if you have designed a flat network there is just a matter of time before all will be infected (ie. someone brings in an infected laptop etc.)

as long as there is no infected computers on the network I don't want to limit the upload speed of my customers. BUT if there is ANY virus-generated traffic on the network I want to block it's traffic. So I would like to automate this process.

What I need is a script that checks the amount of incoming packets within a period of time, on a specified WiFi interface. If this value overrides a specified value it's quite sure that a virus is active on the specified subnet. If this script sends an email(>>SMS) I can be sure that 20 of our custumers won't suffer just because one of our custumers has a virus. Is any script like that available?

Not that i know of.
Personally i always shape bandwith both ways as most of my customer's customers use P2P software 24/7.

Not that i know of.
Personally i always shape bandwith both ways as most of my customer's customers use P2P software 24/7.

ok, that's all right, BUT: if these customers send out SYN/any packets (these packets are small so the number of packets can be high even with low BW), that shaped BW is too high for a virus..

I wouldn't care about viruses if i shaped my users BW to 20-30kbit/s outgoing, but for a customer it's unacceptable..

Do us all a favor and disconnect that zombie machine from the internet 100%. Do not allow them to even connect until they have cleaned up their machine. Allowing a zombie machine to port scan and infect more computers while you know about it could put your business at risk, it's somewhat like watching a burglar break in to peoples houses over and over and not reporting it.

If you know the source IP of these zombies then disconnect them from access to the internet. If you wish then setup a redirect to port 80 on a machine somewhere on your network telling them of the violation and that they have to clean up before they get reconnected.

The FTC has finally started to talk to ISPs about this very thing. A zombie = TONS OF SPAM. Please block them.

Sam

What is the best way to actually track down who the "zombie" is?
I know that I have several on my network and I would love to just pull the plug on them, but we aren't sure how to track them down.
If you have some idea's let me know and I will get them shut down..
It would be my pleasure to eliminate them from our network!!!

Nate

A few signs might be clients scanning tons of machines on port 137-139 (going outbound), port 445, or other known vulnerability ports. Zombies (computers that are part of a botnet) usually get infected themselves and then turn around and try to use the same exploit on many others. Once infected they usually will always be trying to find an IRC server on port tcp 6667-6670 to talk to their master. Using the packet sniffer or torch in MT will be able to help you track these down. Also, installing a snort machine alongside your gateway would help automate all of the detection.

If you find an IP address that is zombified on your internal network you can just block that IP address from connecting outbound by placing a firewall rule on the forward chain. Once they've cleaned up their machine allow them back out. If they are using DHCP you might want to block their MAC address instead. There is a lot more that I didn't cover, however the basic goal is to keep these zombies from causing any damage to others.

Sam

I wouldn't care about viruses if i shaped my users BW to 20-30kbit/s outgoing, but for a customer it's unacceptable..

I am aware of the problems with viruses. PPS count is everything.

We block these things at CPE. MS Filesharing is denied by default and only opened for the few that request it. Generally we do not allow it but for certain customers that are willing to agree to the extra reponsibility of monitoring their use very closely. We generally discourage use of LAN protocols on the internet and often refer to VPN's.

Also we use automatic home-grown tools and scripts to detect such behaviour.
Support people get an e-mail and can then call the customer to help them.
If the support people are polite then the customers -love- this kind of personal service. We already have a written package that they can get on website or e-mail for information on the virii.

I wouldn't care about viruses if i shaped my users BW to 20-30kbit/s outgoing, but for a customer it's unacceptable..

and scripts to detect such behaviour.

could you share these scripts? I'd need only a script to detect high packet count per interface per period of time...

I really do not want to, considering they are a part of our MT based products.

However i can tell you that if you use:
/ interface monitor-traffic <interface>
you can easily achieve your own with a little bit of scripting. Try:
/ interface monitor-traffic ether1 do={ :environment print }
And you will see the environment variables available to monitor.

sten

do you sell your main MT package , that includes the scripts you are talking about

Randy

randy@srsnetworks.net

hi guys,

try to work with this material:



:global interval;
:global threshold;
:set interval 10;
:set threshold 2000;

/ip firewall mangle add comment="script1" place-before=0


/system script add name="script1-virus-spotter" source={
:if ([/ip firewall mangle get [/ip firewall mangle find comment="script1] packets] / $interval > $threshold) do={
/tool e-mail send \
to=someone@somewhere.com \
subject=("Traffic through the router exceeded " . $threshold . " packets/s")
/ip firewall mangle reset-counters;
}
}

/system scheduler add name=virus-spotter interval=$interval on-event=script1-virus-spotter




This script will send you email when packet/s ratio is greater then threshold/interval, or 200 packet/s in this example. To look for individual IP's, add specific mangle rules and :foreach statement - at least you know something is happening on your network. Good idea is to block at least ports 445 and 135-139:

0 ;;; virus-microsoft-sharing-port
dst-address=:445 protocol=tcp action=drop

1 ;;; virus-microsoft-sharing-port
dst-address=:445 protocol=udp action=drop

2 ;;; virus-microsoft-sharing-port
dst-address=:135-139 protocol=tcp action=drop

3 ;;; virus-microsoft-sharing-port
dst-address=:135-139 protocol=udp action=drop

this way, we eliminated the most problematic things. Packet/s dropped from several thousands to some hundreds :) Then it is easy to find infected clients and call them.

enjoy, mp3turbo.

/ ip firewall filter
add chain=Virus protocol=tcp dst-port=1434 action=drop comment="port block \
warning" disabled=no
add chain=Virus protocol=udp dst-port=1434 action=drop comment="" disabled=no
add chain=Virus protocol=udp dst-port=2745 action=drop comment="" disabled=no
add chain=Virus protocol=tcp dst-port=6344-6381 action=drop comment="" \
disabled=no
add chain=Virus protocol=udp dst-port=6344-6381 action=drop comment="" \
disabled=no
add chain=Virus protocol=tcp dst-port=1080 action=drop comment="MyDoom" \
disabled=no
add chain=Virus protocol=tcp dst-port=1214 action=drop comment="" disabled=no
add chain=Virus protocol=tcp dst-port=593 action=drop comment="" disabled=no
add chain=Virus protocol=tcp dst-port=1024-1030 action=drop comment="" \
disabled=no
add chain=Virus protocol=tcp dst-port=135-139 action=drop comment="Blaster \
Worm" disabled=no
add chain=Virus protocol=udp dst-port=135-139 action=drop comment="Messenger \
Worm" disabled=no
add chain=Virus protocol=tcp dst-port=445 action=drop comment="Blaster Worm" \
disabled=no
add chain=Virus protocol=udp dst-port=445 action=drop comment="Blaster Worm" \
disabled=no
add chain=Virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
disabled=no
add chain=Virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
disabled=no
add chain=Virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
disabled=no
add chain=Virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
disabled=no
add chain=Virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
disabled=no
add chain=Virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
disabled=no
add chain=Virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \
disabled=no
add chain=Virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
disabled=no
add chain=Virus protocol=tcp dst-port=2235 action=drop comment="Drop Beagle" \
disabled=no
add chain=Virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K" disabled=no
add chain=Virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
MyDoom" disabled=no
add chain=Virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=Virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=Virus protocol=udp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=Virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
disabled=no
add chain=Virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
disabled=no
add chain=Virus protocol=tcp dst-port=9898 action=drop comment="Drop \
Dabber.A-B" disabled=no
add chain=Virus protocol=tcp dst-port=10000 action=drop comment="Drop \
Dumaru.Y" disabled=no
add chain=Virus protocol=tcp dst-port=10080 action=drop comment="Drop \
MyDoom.B" disabled=no
add chain=Virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
disabled=no
add chain=Virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
disabled=no
add chain=Virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no
add chain=Virus protocol=tcp dst-port=27374 action=drop comment="Drop \
SubSeven" disabled=no

# forward
add chain=forward connection-state=invalid action=drop comment="" disabled=no
add chain=forward connection-state=related action=accept comment="" \
disabled=no
add chain=forward connection-state=established action=accept comment="" \
disabled=no
add chain=forward action=jump jump-target=Virus comment="" disabled=no

# input
add chain=input connection-state=invalid action=drop comment="" disabled=no
add chain=input connection-state=related action=accept comment="" disabled=no
add chain=input connection-state=established action=accept comment="" \
disabled=no
add chain=input action=jump jump-target=Virus comment="" disabled=no




copy to notepad and save file name firewal.rsc
copy to ftp router and open terminal
[admin@gading.lintaswave.net] > import firewal.rsc