MikroTik

Community discussions
https://forum.mikrotik.com/

FLOODING IS KILLING PLEASE HELP...

https://forum.mikrotik.com/viewtopic.php?t=38893

Page 1 of 1

FLOODING IS KILLING PLEASE HELP...

Posted: Tue Feb 02, 2010 9:41 pm
by drnitinarora
Hello All!!

I am also stuck with this firewall with the same issue. My firewall config are:

add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
add chain=input connection-state=established action=accept comment="Allow Established connections"
add chain=input protocol=icmp action=accept comment="Allow ICMP"
add chain=input src-address=!193.126.126.0/24 action=accept in-interface=!ether1
add chain=input action=drop comment="Drop everything else"
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 protocol=tcp action=drop
add chain=forward dst-address=224.0.0.0/3 protocol=udp port=5355 action=drop
add chain=forward dst-address=224.0.0.0/3 protocol=igmp action=drop
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=445 action=drop comment="deny cifs"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

In all Mikrotiks, with "Bridge IP firewall turned on"

"Bridge protocol STP"

My network Setup

All links physically working fine since more than 1 year! Firewall rules added 1 month ago



PROBLEM 1:
I cannot access MIkrotiks using IP address with Firewall Turned on, Only accessible via MAC.

Problem 2:
Whn I check TCPdump on my servers I do not see any UDP Flooding.

Whn using TORCH on Mt, I see lot of flooding on port 137, 138 and 445. There are 1000s of Connections in the connection list, THOSE FROM SERVER2 IPs also in MT CONNECTED only to server1

PROBLEM 3:

Backbone link With cisco Router shows Throughput of 11 Mbps+ whn using alone.
Tx/Rx= -57/-59dB
TX/Rx CCQ= 92-99%/85-99%

On connecting with servers,.......During day everything goes well, concurrent users online Server1->75 to 100, server2-> upto 75.......During Night problem starts.........concurrent users online Server1->25-50, server2->125-250,

Backbone link shows very very high latency and throughput drops to 1-2 Mbps only.
Tx/Rx= -57/-59dB
TX/Rx CCQ= 30-50%/20-30%
Disconnecting server 2, everything goes well.

More Than 5000 connections seen in connection list of Backbone link MTs., Tx/Rx= -57/-59dB
TX/Rx CCQ= 92-99%/85-99%.

Connections from WAN IP of SERVER 1 & 2,,,,,,also LAN IPs of Server2.

How come so many connections seen when firewall turned on????? why is backbone link failing????

PLEASE HELP

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Tue Feb 02, 2010 10:04 pm
by drnitinarora
CONTD>>>>>>>>>>>>>>>>


Now see in this pic LAN IPs of server 2 starts pouring in on Mtik Backbone link....it will go to thousands...

Please help

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Wed Feb 03, 2010 4:00 pm
by ciphercore
Is 192.122.122.3 your home network ?

http://tools.ietf.org/html/rfc1918

RFC 1918 Address Allocation for Private Internets February 1996


3. Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:
Code: Select all
   10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
All links physically working fine since more than 1 year! Firewall rules added 1 month ago
I could look at your rules, but how about you disable them all, then re-enable them one at a time ?


Also you get extra points for having lots of info in your post.

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Wed Feb 03, 2010 4:51 pm
by drnitinarora
Is 192.122.122.3 your home network ?

http://tools.ietf.org/html/rfc1918

RFC 1918 Address Allocation for Private Internets February 1996


3. Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:
Code: Select all
   10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
All links physically working fine since more than 1 year! Firewall rules added 1 month ago
I could look at your rules, but how about you disable them all, then re-enable them one at a time ?


Also you get extra points for having lots of info in your post.
What do you mean by extra points........i am new here and in this system i mentioned here......I am suffering with this issue and my boss is chewing my head........m not doing this for points......please help if you can?? main issue was left without discussion!!!! :( :( :(

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Wed Feb 03, 2010 5:12 pm
by ciphercore
Extra points = you did a good job of providing lots of information and pictures. Many peoplel do not provide enough information.
  • 192.122.122.3 This IP is a public address. You should be using between 192.168.0.0-192.168.254.254.
  • Also like I said, you can try disabling your firewall rules, then enable them one at a time.
Re-read my first post.... then read it again.

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Wed Feb 03, 2010 5:53 pm
by drnitinarora
Thanks cipher, I corrected all the addresses.....in the network, but still the same problem, all rules added 1 by 1

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Wed Feb 03, 2010 6:06 pm
by ciphercore
OK. I will have a look a better look later, I should be working right now. I just wanted to point out what I noticed right away.

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Thu Feb 04, 2010 7:54 am
by mrz
1. In input chain you don't have any rules to allow winbox connections.
Add rule in input chain that accepts tcp/8291 then winbox should work

2. You have a lot of connections most likely because clients are using torrents or other p2p.
P2P is opening hundreds of connections.

If it is the problem for you, then you can set up firewall to limit connection count per user.

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Sat Feb 06, 2010 7:05 pm
by drnitinarora
Dear Mrz, I am new in this setup and not familiar with MT...cn u plz tell me or redirect where i cn read about the firewall rule formulation....

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Mon Feb 15, 2010 10:42 pm
by jitudhk
bro , u better first lookup at the conficker worm. i think some of ur clients r infected by this shit. disable netbios over tcp/ip on clients pc. i hope this will help get out from this,

u can dl the latest conficker remover from the microsoft download center

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Thu Feb 25, 2010 3:11 pm
by drnitinarora
Tried disabling netbios also. 85% users disabled. still the same.

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Thu May 26, 2011 11:45 am
by alherman
you can try like :
1. put firewall filter rule to block port p2p (torrent like)
2. put queque limit for allp2p (there is p2p in advanced) and make it for download 1k and also upload 1k
3. by activate web-proxy or proxy in mikrotik and deny all *torrent* , *bittorrent*, *tracker* (in access)

all this 3 work fine for me.

as i see that all your capture is p2p program such bittorrent, utorrent or etc.

cheers mate.

Re: FLOODING IS KILLING PLEASE HELP...

Posted: Sun May 29, 2011 2:04 am
by dssmiktik
you can try like :
1. put firewall filter rule to block port p2p (torrent like)
2. put queque limit for allp2p (there is p2p in advanced) and make it for download 1k and also upload 1k
3. by activate web-proxy or proxy in mikrotik and deny all *torrent* , *bittorrent*, *tracker* (in access)

all this 3 work fine for me.

as i see that all your capture is p2p program such bittorrent, utorrent or etc.

cheers mate.
To add, you could also create DNS rules to redirect specific domain names to: 127.0.0.1, this should reduce the cpu load of the web-proxy, with minimal network traffic (small udp dns packets).
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/