Page 1 of 1
DDoS attack?
Posted: Mon Oct 07, 2013 12:38 pm
by StNick
Hi there,
I have a RB951G-2HnD at home which dials my 10mbps ADSL via PPPoE.
Over the last month or so, I have experienced what I can only assume is some "attack" of sorts, and I am not smart enough to understand how or why it is happening. It has happened about six times now. Basically what happens first is that I notice that my Internet connection is performing very poorly. When I look at my ADSL interface, the outgoing throughput is in the region of 3mbps, which incidentally is impossible on my ADSL line (maximum 1mbps upstream).
When I run Torch on the interface, I see that the traffic is coming from a Russian IP address (no port is shown, even when I tick "Port" in Torch). To fix this, what I've been doing is going to Firewall -> Filter Rules and creating a new rule that drops all traffic to that IP address on the output chain. This immediately fixes my performance, and I can see the rule catching hundreds of megabytes of data until the "attacker" eventually gives up.
Any ideas on what this could be, and/or how I could better-protect myself from future "attacks"? Any advice would be greatly appreciated.
Re: DDoS attack?
Posted: Mon Oct 07, 2013 1:53 pm
by CelticComms
It sounds as if your firewall settings are inadequate which is allowing somebody access in the first place. Can you upload your firewall settings?
Re: DDoS attack?
Posted: Mon Oct 07, 2013 4:52 pm
by StNick
Sure, what is the best way for me to export them and paste here?
I just took a look and noticed that all of my "Service Ports" (the default ones) were enabled, even though I have no need for any. I have disabled them now. Is that likely to be a hole that I've just plugged?
Re: DDoS attack?
Posted: Mon Oct 07, 2013 8:40 pm
by StNick
Well, it obviously had nothing to do with the service ports considering it just happened again this evening.
Here's a screenshot of the Torch results. Any ideas?
https://dl.dropboxusercontent.com/u/666 ... ssians.jpg
Re: DDoS attack?
Posted: Mon Oct 07, 2013 9:08 pm
by soulflyhigh
/ip dns set allow-remote-requests=no
Re: DDoS attack?
Posted: Mon Oct 07, 2013 9:09 pm
by AlArenal
Is your routerboard's dns publicly available (port 53 tcp and udp)?
You usually don't need the rb's dns cache. You can disable it if you use your ISPs dns server in your client's network configuration ro you can make it unavailable from wan side with an appropriate firewall rule.
Re: DDoS attack?
Posted: Mon Oct 07, 2013 9:11 pm
by AlArenal
/ip dns set allow-remote-requests=no
Yep, that's the third option but I remember having seen that this setting leads to unavailable dns cache even from the internal network. But maybe that was a bug, misconfiguration or my memory fools me (probably the latter)...
Re: DDoS attack?
Posted: Mon Oct 07, 2013 10:00 pm
by StNick
Thanks guys. I use Google's DNS servers, but it *was* set to allow remote requests.
I have now disabled that setting, so lets see how it goes from here... Fingers crossed.
Edit: Okay, when I disable that setting, I can't resolve anything from any of the devices on my network. (Sorry guys, I really am a n00b at this)
Re: DDoS attack?
Posted: Mon Oct 07, 2013 10:10 pm
by webpagetech
I would also set up a connection state firewall to protect you LAN if you have not already.
something along the lines of.
/ip firewall address-list
add address=172.16.0.0/24 list=list-inside-lan
/ip firewall filter
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new src-address-list=list-inside-lan
add action=drop chain=forward
Make sure to change the 172.16.0.0/24 subnet above to what ever your LAN Network is.
Re: DDoS attack?
Posted: Mon Oct 07, 2013 11:48 pm
by StNick
I would also set up a connection state firewall to protect you LAN if you have not already.
something along the lines of.
/ip firewall address-list
add address=172.16.0.0/24 list=list-inside-lan
/ip firewall filter
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward connection-state=new src-address-list=list-inside-lan
add action=drop chain=forward
Thanks, I'll give this a bash too. Can you tell me what it does?
Make sure to change the 172.16.0.0/24 subnet above to what ever your LAN Network is.
Re: DDoS attack?
Posted: Tue Oct 08, 2013 12:04 am
by webpagetech
Thanks, I'll give this a bash too. Can you tell me what it does?
Ya it says...
Accept forward traffic that is established (connection has already been new and created from you LAN and is still the same as when it was created)
Accept forward traffic that is related (connection has already been created and is very similar to an established connection (ie. usually this is when one of the ports change but same IP's as an established connection or a data stream like gre(vpn) was created from an established connection))
Accept forward traffic that is new and from your LAN.
Drop all other forward traffic.
...
In other words only accept traffic that comes from the computers on your LAN. Drop all other traffic.
Re: DDoS attack?
Posted: Tue Oct 08, 2013 1:06 am
by kmok1
I discovered the same issue two weeks ago. I followed through on some IP addresses, most were not running a name service. Therefore I felt that those were DNS amplification attacks.
I implemented this code into my routers.
/ip firewall filter
add action=drop chain=input comment="Detect & drop DNS amplification attack." \
disabled=no dst-port=53 in-interface=aDSL protocol=udp \
src-address-list=BL-dns
add action=add-src-to-address-list address-list=BL-dns address-list-timeout=12h \
chain=input connection-limit=30,32 disabled=no dst-port=53 in-interface=\
aDSL protocol=udp
You will need to change the
in-interface to fit your settings. The first line drops any packets that is in the BL-dns blacklist. The second line limits each IP address with UDP and port 53 to maximum 30 connections. If there are over 30 connections, that source IP address is added to BL-dns for 12 hours.
Re: DDoS attack?
Posted: Tue Oct 08, 2013 10:16 am
by StNick
Thanks so much for the replies everyone, this has been a good learning experience for me.
I've made the changes that webpagetech suggested. As a matter of fact, the rules were there already from the default configuration and I only had to make a couple of changes.
However, I am not sure if this "connection state firewall" is sufficient to prevent the same thing happening again though. Do I still need to explicitly block port 53 to the outside world, as AlArenal suggests?
Re: DDoS attack?
Posted: Tue Oct 08, 2013 10:46 am
by AlArenal
If your device has no DNS service running and therefore there is nothing answering on port 53, you don't need such a rule.
And it's FROM the outside, not TO. Of course you need to be able to make DNS request to the outside, otherwise you won't be able to resolve domain names to IP addresses.
Re: DDoS attack?
Posted: Tue Oct 08, 2013 2:07 pm
by StNick
I discovered the same issue two weeks ago. I followed through on some IP addresses, most were not running a name service. Therefore I felt that those were DNS amplification attacks.
I implemented this code into my routers.
/ip firewall filter
add action=drop chain=input comment="Detect & drop DNS amplification attack." \
disabled=no dst-port=53 in-interface=aDSL protocol=udp \
src-address-list=BL-dns
add action=add-src-to-address-list address-list=BL-dns address-list-timeout=12h \
chain=input connection-limit=30,32 disabled=no dst-port=53 in-interface=\
aDSL protocol=udp
You will need to change the
in-interface to fit your settings. The first line drops any packets that is in the BL-dns blacklist. The second line limits each IP address with UDP and port 53 to maximum 30 connections. If there are over 30 connections, that source IP address is added to BL-dns for 12 hours.
I almost completely missed your post. Thank you so much for this rule. I have added it, so now I wait and see.
Re: DDoS attack?
Posted: Wed Oct 09, 2013 12:03 am
by StNick
Well, kmok1's solution appears to be working perfectly. I added another similar rule using netmask 24 though, as I was being hit hard by 199.223.126.xxx and since no individual IP was using more than 30 connections, it wasn't being picked up.
I wish I knew why this was happening. I've never had to do anything like this in the 5 years that I've owned a Mikrotik before.
Update: I am starting to understand now... What I have failed to realise until now is that I've basically been running my Mikrotik as an open DNS server, when all I really wanted to do was allow devices on my internal network to use it for that purpose. Therefore, really all I need to do is block all remote requests on my WAN interface.
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ADSL protocol=udp
add action=drop chain=input dst-port=53 in-interface=ADSL protocol=tcp
Re: DDoS attack?
Posted: Wed Oct 09, 2013 6:46 pm
by kmok1
Hey StNick,
For end users, your rules work perfectly. I run an ISP with various DNS servers in the network, so I have to implement in a way that my DNS servers are able to talk to the outside.
FYI, I heard about this DNS amplification (DDOS) attack only a few months ago. Now this is happening to everybody and in my opinion, it is getting out of hand. My drop rule in my edge router is dropping avg 1000 packets per second for the past two weeks.
Well, kmok1's solution appears to be working perfectly. I added another similar rule using netmask 24 though, as I was being hit hard by 199.223.126.xxx and since no individual IP was using more than 30 connections, it wasn't being picked up.
I wish I knew why this was happening. I've never had to do anything like this in the 5 years that I've owned a Mikrotik before.
Update: I am starting to understand now... What I have failed to realise until now is that I've basically been running my Mikrotik as an open DNS server, when all I really wanted to do was allow devices on my internal network to use it for that purpose. Therefore, really all I need to do is block all remote requests on my WAN interface.
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ADSL protocol=udp
add action=drop chain=input dst-port=53 in-interface=ADSL protocol=tcp
