Security Issue - FTP port accessible with crafted packets
Posted: Tue Feb 12, 2013 8:28 am
RB2011UAS-2HnD
v5.21
I noticed this message in the Log screen (winbox):
"system error critical login failure for user Administrador from 114.207.246.138 via ftp"
Being an IP address in south korea (geoip) (Hi, yes I'm working on blocking you out), it's not me (being in Australia).
These messages were coming through frequently - close to one every second. Suspecting that they are trying to brute force guess the password, I:
* Disabled the FTP service through IP > Services
* Adding chain=forward action=drop (on their IP address)
Neither of these worked.
I mirrored the traffic from my WAN to my PC and looked at the traffic in Wireshark. I tried to FTP from an external IP, but it didn't work, however I compared the packets between myself and the attacker, and they appear to have spoofed the windowing parameters at the TCP level, having a high sequence number (although it is possible that this is just a natural number, since they have been trying for a while). Either way, I suspect that differences in their packets have allowed access.
Another possibility is that their TCP session was created before my firewall rule and disabling of ftp, and the router is allowing the pre-established session.
Furthermore, another attack from a chinese IP began, attacking the SSH port (I don't know why mikrotik enables these ports externally by default). I simply disabled SSH through IP > Services. Instant result - no more attacks.
So it would seem this is FTP specific. Any help configuration or support would be great (no South-Korean I don't want your help). I'm happy to provide full packets I have captured via wireshark etc..
v5.21
I noticed this message in the Log screen (winbox):
"system error critical login failure for user Administrador from 114.207.246.138 via ftp"
Being an IP address in south korea (geoip) (Hi, yes I'm working on blocking you out), it's not me (being in Australia).
These messages were coming through frequently - close to one every second. Suspecting that they are trying to brute force guess the password, I:
* Disabled the FTP service through IP > Services
* Adding chain=forward action=drop (on their IP address)
Neither of these worked.
I mirrored the traffic from my WAN to my PC and looked at the traffic in Wireshark. I tried to FTP from an external IP, but it didn't work, however I compared the packets between myself and the attacker, and they appear to have spoofed the windowing parameters at the TCP level, having a high sequence number (although it is possible that this is just a natural number, since they have been trying for a while). Either way, I suspect that differences in their packets have allowed access.
Another possibility is that their TCP session was created before my firewall rule and disabling of ftp, and the router is allowing the pre-established session.
Furthermore, another attack from a chinese IP began, attacking the SSH port (I don't know why mikrotik enables these ports externally by default). I simply disabled SSH through IP > Services. Instant result - no more attacks.
So it would seem this is FTP specific. Any help configuration or support would be great (no South-Korean I don't want your help). I'm happy to provide full packets I have captured via wireshark etc..