MikroTik

currently im seeing attacks in my router RB750UP mikrotik v6.10
TCP CONNECTION ESTABLISHED FROM 183.60.48.25 china
in my ip service list i have only winbox port is active and rest is disabled ...

im connection my server true pptp and vpn .....

and this attracts make my router drop my pppoe connections restarts disconnection and connecting..

there will be a easy scripts to block or drop this connections.....

or i need to understand ddos attacks wiki mikrotik ????

any body can give a easy advance pls ....many thx

Can you see what ports is the ip connected to?

I guess it is 53. If so, it is widely discussed all around. Solution is easy: Drop it.

If your ip>DNS is enable, you should always drop external request on cto and ISP, open resolver attack is very common

thx..for your all reply ....

/ip firewall connection print in terminal i dont see any china ip....

maybe i need to read ddos attack wiki again.....maybe connection limit in firewall nat rule...

Hello,

I have similar problem with my cloudcore router 6.32.2
My input chain firewall rule to block these IP addresses accessing my router from the public are not working and I can trace the IP in Connections tracking..
The IP is from china. I disabled vpn configs and the IP is still establishing connections frequently.
Please how do I put an end to this?

See my log

oct/10 23:39:02 pptp,info TCP connection established from 183.60.48.25
oct/10 23:39:02 pptp,debug,packet rcvd Start-Control-Connection-Request from 183.60.48.25
oct/10 23:39:02 pptp,debug,packet protocol-version=0x0100
oct/10 23:39:02 pptp,debug,packet framing-capabilities=1
oct/10 23:39:02 pptp,debug,packet bearer-capabilities=1
oct/10 23:39:02 pptp,debug,packet maximum-channels=0
oct/10 23:39:02 pptp,debug,packet firmware-revision=0
oct/10 23:39:02 pptp,debug,packet host-name=
oct/10 23:39:02 pptp,debug,packet vendor-name=
oct/10 23:39:02 pptp,debug,packet sent Start-Control-Connection-Reply to 183.60.48.25
oct/10 23:39:02 pptp,debug,packet protocol-version=0x0100
oct/10 23:39:02 pptp,debug,packet result-code=1
oct/10 23:39:02 pptp,debug,packet error-code=0
oct/10 23:39:02 pptp,debug,packet framing-capabilities=2
oct/10 23:39:02 pptp,debug,packet bearer-capabilities=0
oct/10 23:39:02 pptp,debug,packet maximum-channels=0
oct/10 23:39:02 pptp,debug,packet firmware-revision=1
oct/10 23:39:02 pptp,debug,packet host-name=KVPROUTER2
oct/10 23:39:02 pptp,debug,packet vendor-name=MikroTik
oct/10 23:39:02 pptp,ppp,debug <9>: LCP lowerdown
oct/10 23:39:02 pptp,ppp,debug <9>: LCP down event in initial state
oct/11 04:29:10 pptp,info TCP connection established from 141.105.66.185
oct/11 04:29:10 pptp,debug received too big control message, disconnecting
oct/11 04:29:10 pptp,ppp,debug <10>: LCP lowerdown
oct/11 04:29:10 pptp,ppp,debug <10>: LCP down event in initial state
oct/11 08:06:05 pptp,info TCP connection established from 183.60.48.25

I assume you don't need the PPtP server running, right?
So this rule will be your friend: You could switch the action to tarpit which I prefer as it binds attackers' resources...
Additionally, I'd add more ports (all common ports usually a service is replying on) to this rule - as those guys not only want to connect to PPtP but scan your whole WAN IP(s).
After this rule, add a drop rule for UDP connection attempts.
-Chris

Sry for bump...

I had the same problem today at about 7am....

Aug/09/2018 07:02:03 memory pptp,info TCP connection established from 113.96.223.207

can someone explain to me first what doest this mean since i dont have open vpn here on router...does this mean that someone get into my router/network ?

also would this code help me get rid of these stuff in the future:

Code: Select all

/ip firewall filter
add action=drop chain=input comment="block PPtP scanners" connection-state=new in-interface=yourWANport dst-port=1723 protocol=tcp

EDIT: looks like there is nothing to worry about, its could be just some scanning from outside

If someone is able to connect to that port, your router is insecure. Make sure to firewall all ports from WAN.

This should help: