Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_under_attack
Trace: mikrotik_sw_vs_bridge mikrotik_under_attack
networking:router:mikrotik_under_attack

This is an old revision of the document!

So Your Mikrotik Firewall is Under Attack

FIXME Unfinished and untested.

:!: These rules can be modified for many botnet situations.

:!: Logging can be added if needed.

:!: The order of rules in your firewall is important. Move these rules to an appropriate place in your firewall order.

:!: Consider disabling or deleting these rules after the attacks have subsided to keep from polluting your firewall rule set.

Botnet - UDP Port 30837

Here we see a botnet using UDP port 30837, so we create a permanent blacklist and drop all packets.

  • We can disable the rules later
  • We can modify these rules for the next attack
  • Or we can keep or delete the blacklist and rules later 
/ip firewall filter

add chain=input comment="Drop Blacklisted Botnet Attackers for 10 Days" src-address-list=botnet_blacklist \
action=drop disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage3 \
action=add-src-to-address-list address-list=botnet_blacklist address-list-timeout=10d  disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage2 \
action=add-src-to-address-list address-list=botnet_stage3 address-list-timeout=1m disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage1 \
action=add-src-to-address-list address-list=botnet_stage2 address-list-timeout=1m disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new action=add-src-to-address-list \
address-list=botnet_stage1 address-list-timeout=1m  disabled=no
  • Since botnet traffic generally comes slowly from many different hosts, you might have to adjust the address-list-timeout to a longer period in the “stage” rules to catch more attackers
  • You might omit the address-list-timeout from the “stage3” rule to make the blacklist entry permanent.

If you feel the need, you can then allow connections not previously blocked. If all you are doing is building a blacklist, omit this rule: 

add chain=input comment="Accept botnet traffic not previously blocked" protocol=udp dst-port=30837 \
connection-state=new action=accept
networking/router/mikrotik_under_attack.1400597880.txt.gz · Last modified: 2014/05/20 08:58 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki