Community discussions

MikroTik App
  4. RouterOS
  5. General

8.8.8.8 suddenly blocked by my firewall???

Post Reply
 
danriis
just joined
Topic Author
Posts: 21
Joined: Wed May 29, 2019 1:52 am

8.8.8.8 suddenly blocked by my firewall???

Thu Apr 04, 2024 2:18 am

Hi all,
Recently the public DNS we use (8.8.8.8) has started showing up in my blocked DDOS address list on the firewall, which has never happened before.
I'm not an expert at all on this stuff... Is something wrong with my DDOS config? Or does this indicate internal clients being part of an attack (perhaps unknowingly?) It's happening based on more than one client, here's what the log entry looks like, obviously 10.0.0.117 is the internal client:

detect-ddos: in:bridge1 out:ether1_Spectrum WAN, src-mac 3c:06:30:15:4a:b0, proto UDP, 10.0.0.117:57852->8.8.8.8:53, len 56

Any insights would be very appreciated,
Dan
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19640
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: 8.8.8.8 suddenly blocked by my firewall???

Thu Apr 04, 2024 4:00 am

Yes, you dont need DDOS on your router, it is the responsibility of upstream providers to do such work.
More than likely a misconfigured config is causing issues. Get rid of the bloat and life will be easier.
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3605
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: 8.8.8.8 suddenly blocked by my firewall???

Thu Apr 04, 2024 4:06 am

From the log it does not look like it's getting NAT'ed.
Top
 
danriis
just joined
Topic Author
Posts: 21
Joined: Wed May 29, 2019 1:52 am

Re: 8.8.8.8 suddenly blocked by my firewall???

Thu Apr 04, 2024 9:32 am

Thanks, I've pasted my config below.
I don't know enough to know if it's bloated. I did the basic network config and had a so-called 'consultant' do the firewall rules.
Is this helpful?
Thanks so much, I'm still a beginner with the firewall stuff.
Dan

Code: Select all
# mar/14/2024 01:04:14 by RouterOS 6.47.9
# software id = 
#
# model = RB1100x4
# serial number = 
/interface bridge
add fast-forward=no name=bridge1 priority=0x2000
/interface ethernet
set [ find default-name=ether1 ] name="ether1_Spectrum WAN" speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] name=ether3_SolplexSE speed=100Mbps
set [ find default-name=ether4 ] name=ether4_PossiblyBadPort speed=100Mbps
set [ find default-name=ether5 ] name=ether5_SolPlexNW speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] name=ether7_Community speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] name=ether10_Lukas speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.175
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1d name=\
    dhcp1
/queue type
add kind=pcq name=pcq-download-fastest pcq-classifier=dst-address pcq-rate=\
    100M pcq-total-limit=5000KiB
set 6 pcq-rate=10M pcq-total-limit=5000KiB
set 7 pcq-rate=35M pcq-total-limit=5000KiB
/queue simple
add dst="ether1_Spectrum WAN" max-limit=24M/500M name=EveryoneElse queue=\
    pcq-upload-default/pcq-download-default target=bridge1
add dst="ether1_Spectrum WAN" max-limit=20M/100M name=UnifiController parent=\
    EveryoneElse target=10.0.0.250/32
add dst="ether1_Spectrum WAN" max-limit=20M/100M name=AttilaDesktop parent=\
    EveryoneElse target=10.0.0.251/32
add dst="ether1_Spectrum WAN" max-limit=15M/200M name=Lukas parent=\
    EveryoneElse target=10.0.0.252/32
add disabled=yes dst="ether1_Spectrum WAN" max-limit=15M/90M name=\
    "Speed boost for this IP" parent=EveryoneElse target=10.0.0.175/32
/system logging action
set 0 memory-lines=2000
set 1 disk-file-count=10
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge filter
add action=drop chain=input disabled=yes in-bridge=bridge1 log=yes \
    src-mac-address=5/FF:FF:FF:FF:FF:FF
add action=drop chain=input disabled=yes dst-mac-address=\
    /FF:FF:FF:FF:FF:FF log=yes src-mac-address=\
    /FF:FF:FF:FF:FF:FF
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3_SolplexSE
add bridge=bridge1 interface=ether4_PossiblyBadPort
add bridge=bridge1 interface=ether5_SolPlexNW
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7_Community
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10_Lukas
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface="ether1_Spectrum WAN" list=WAN
/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
/ip dhcp-client
add disabled=no interface="ether1_Spectrum WAN"
/ip dhcp-server alert
add disabled=no interface=bridge1 valid-server=xxxxxxxxxx
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8,x.x.x.x gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=x.x.x.x,8.8.8.8
/ip firewall address-list
add address=192.168.0.0 list="Block user"
/ip firewall filter
add action=drop chain=output disabled=yes src-address=192.168.0.0
add action=fasttrack-connection chain=forward comment="Fasttrack DNS TCP" \
    disabled=yes dst-port=53 protocol=tcp src-address=10.0.0.0/24
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UDP" \
    dst-port=53 protocol=udp src-address=10.0.0.0/24
add action=drop chain=input comment="DROP SSH from WAN requests" dst-port=22 \
    in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=input comment="DROP webconfig from WAN requests" \
    dst-port=8081 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=input comment="DROP Winbox from WAN requests" dst-port=\
    8291 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=forward comment="Prevent UDP flooding attack" \
    connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=input comment="Prevent outside DHCP requests" dst-port=\
    53 in-interface="ether1_Spectrum WAN" protocol=udp
add action=drop chain=input comment="Prevent outside DHCP requests" dst-port=\
    53 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=forward comment=\
    "Drop packets from SMTP spammer address list." log=yes src-address-list=\
    "SMTP spammer"
add action=drop chain=input comment="DROP INVALID CONNECTIONS" \
    connection-state=invalid
add action=drop chain=forward connection-state=invalid log-prefix=invalid
add action=accept chain=forward comment=\
    "ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=\
    established,related
add action=accept chain=input connection-state=established,related
add action=jump chain=input comment="ALLOW ICMP CONNECTIONS" jump-target=ICMP \
    protocol=icmp
add action=jump chain=forward jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list="SMTP spammer" \
    address-list-timeout=1h chain=forward comment=\
    "SMTP spammer gets added to SMTP spammer address list." connection-limit=\
    30,32 dst-port=25 limit=50,5:packet log=yes protocol=tcp
add action=return chain=detect-ddos comment="Prevent UDP flooding attack" \
    dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    10m chain=detect-ddos comment="Prevent UDP flooding attack"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    10m chain=detect-ddos comment="Prevent UDP flooding attack"
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=2w chain=input comment=\
    "Begin -> Port Scanners to List" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=10h chain=input comment=\
    "Begin > SSH Attacks to List" connection-state=new dst-port=22 protocol=\
    tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,4,dst-address/1m dst-port=21 protocol=tcp
add action=add-dst-to-address-list address-list=Blacklist \
    address-list-timeout=3h chain=output comment=\
    "Add FTP Brute Force Attack to List" content="530 Login incorrect" \
    dst-port=21 protocol=tcp
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=\
    WAN
add action=jump chain=forward comment="Prevent UDP flooding attack" \
    connection-state=new jump-target=detect-ddos
add action=accept chain=ICMP comment="ICMP Rules - 0:0 and limit for 5pac/s" \
    icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=\
    3:3 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=\
    3:4 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=\
    8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" \
    icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat
/ip firewall raw
add action=drop chain=prerouting comment=\
    "Block all 192.168.x.x. on the network, hopefully :)" src-address=\
    192.168.0.0/16
add action=drop chain=prerouting comment="drop blacklist" src-address-list=\
    Blacklist
add action=drop chain=prerouting dst-port=8080 in-interface-list=WAN \
    protocol=tcp
add action=drop chain=prerouting comment="drop DNS attempts from WAN" \
    dst-port=53 in-interface-list=WAN protocol=udp
add action=jump chain=prerouting comment="detect broadcasts" \
    dst-address-type=broadcast in-interface=bridge1 jump-target=broadcast
add action=accept chain=broadcast comment="allow dhcp" dst-address-type="" \
    dst-port=67 in-interface=bridge1 protocol=udp
add action=drop chain=broadcast comment="drop netbios" dst-address-type="" \
    dst-port=137,138 in-interface=bridge1 protocol=udp
add action=drop chain=broadcast comment="drop dropbox sync" dst-address-type=\
    "" dst-port=17500 in-interface=bridge1 protocol=udp
add action=drop chain=broadcast comment="drop broadcasts" dst-address-type=\
    broadcast in-interface=bridge1
/ip route
add disabled=yes distance=1 gateway=x.x.x.x
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24 port=8081
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=xxx
/system identity
set name=xxx
/system logging
set 0 action=disk topics=info,!dhcp
set 1 action=disk
set 2 action=disk
set 3 action=disk
/system package update
set channel=long-term
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool netwatch
add down-script=":log info \"Internet Down\"" host=x.x.x.x interval=5s \
    up-script=":log info \"Internet Up\""
Last edited by BartoszP on Thu Apr 04, 2024 11:52 am, edited 1 time in total.
Reason: Please DO use proper tags ... code for code etc.
Top
 
johnson73
Member Candidate
Member Candidate
Posts: 190
Joined: Wed Feb 05, 2020 10:07 am

Re: 8.8.8.8 suddenly blocked by my firewall???

Thu Apr 04, 2024 11:13 am

In order for the traffic flow to be correct, we use "default" firewall rules as the basis for everything. Your configuration has a very large mix. In Mikrotik, firewall rules are executed from top to bottom and the order also matters. We don't mix up the sequence of places.
I will copy the rules for you, which you can then add with the information you need. The ports you want to drop, we do it in Raw chain.
Code: Select all
( default rules to keep )

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment="drop all else"
Top
Post Reply

Who is online

Users browsing this forum: bgbgrara, DanMos79, mongobongo, yinmeout and 45 guests
  4. RouterOS
  5. General