dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4161
Bigpaddy_Irl
join:2005-12-12
Ireland

Bigpaddy_Irl

Member

Mikrotik router being attacked - I think?

Hi guys,
one of my pppoe servers which is a 750up is acting odd.
I have 40+ pppoe clients connected to ether2 which has the pppoe server running on it.
Looking at interfaces I can see all the clients connected which are hardly transferring any traffic at the moment, but still up at the top of interfaces it tells me that there is 9Mb being recieved with over 4000 pps on this interface.
On doing a torch, I can see ipv6 ips and private ips which are not on my network generating this traffic. IGMP seems to be the protocol being used mostly to generate this traffic.

This is causing my pppoe clients to drop their connections and experience very slow throughput.

i have created a rule for each of the rouge ips to drop their connections, this has helped a bit by reducing throughput its using and pps, but it does not stop them completely.

Any ideas guys?

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak

Premium Member

Do you route or bridge your CPEs?

The traffic coming in it sounds like its on that PPPoE interface?
Bigpaddy_Irl
join:2005-12-12
Ireland

Bigpaddy_Irl

Member

unless the customer wants a public ip, we just leave the cpe in router mode. If they want an ip we bridge them to the PPPoE server and let their own router do the pppoe.

Yes this traffic was generated on the PPPoE interface.
In the meantime, I enabled client isolation on the AP and that seems to have done the trick for me.

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak

Premium Member

said by Bigpaddy_Irl:

unless the customer wants a public ip, we just leave the cpe in router mode. If they want an ip we bridge them to the PPPoE server and let their own router do the pppoe.

Yes this traffic was generated on the PPPoE interface.
In the meantime, I enabled client isolation on the AP and that seems to have done the trick for me.

Yes! Client isolation should be used always! Unless you have a need for clients to be able to talk to each other without going thru your core router, (YUK!)

Rhaas
Premium Member
join:2005-12-19
Bernie, MO

Rhaas to Bigpaddy_Irl

Premium Member

to Bigpaddy_Irl
If it is IGMP it's likely to be a bad/misconfigured device.

Can you post a screen shot of torch?
Bigpaddy_Irl
join:2005-12-12
Ireland

Bigpaddy_Irl to Inssomniak

Member

to Inssomniak
Click for full size
pppoe server
You know what they say...."a picture paints a thousand words!"

What is wrong with this picture? Ether1 is the wan of the pppoe server and ether3 and 4 go to each rocket ap.
3 and 4 are bridged to the pppoe server.

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_

MVM

What are the source/destination IPs, ports, protocol numbers of all that traffic, because simple figures dont really tell much of a story other than "theres a lot of traffic."

Need to know what type of traffic.
Bigpaddy_Irl
join:2005-12-12
Ireland

Bigpaddy_Irl

Member

Click for full size
howdy Tom!
Here is a screen shot of the wan port protocols being used.
I dont know where that 20Mb of traffic is coming from because when I took that, ether 3 and 4 combined were not pulling 10Mb between them.

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak

Premium Member

Cant tell in that picture but perhaps 4.4 megabits of UDP there is a DDoS or DoS attack?

Collect the DST address and you can see the target IP.

Tough to stop those unless you talk to your upstream.

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_ to Bigpaddy_Irl

MVM

to Bigpaddy_Irl
What about source/dest IPs, and perhaps port numbers?

If you find a particular pattern you might be able to track down something/someone in your network, or outside of it.

If its outside, and you have the appropriate source/dest IPs and port number(s) (and in particular if you have no reason to believe that traffic is legit), you could go to your upstream and ask the to block that traffic. If you can tell them exactly what you need a block for, youre more likely to get some help.

On the other hand, you might find this a pertinent time to apply some ingress/egress filters at your edges facing the Internet.

e.g. blocking all but unnecessary incoming traffic (i.e. ICMP) from the internet destined for infrastructure IPs (because no one on the internet at large should be trying to talk to your infrastructure) and only permitting incoming traffic to legitimate IPs, and blocking any outgoing traffic that isnt from a legitimate IP on your network.

BCP 38 and 46, and in some respects 84, provide some good information about filtering at your edges to protect your network and stop the spread of certain DOS traffic.

»tools.ietf.org/html/bcp38
»tools.ietf.org/html/bcp46
»tools.ietf.org/html/bcp84
Bigpaddy_Irl
join:2005-12-12
Ireland

Bigpaddy_Irl

Member

The funny thing is that a lot of the ip's that I can see are actually belonging to 2 other isp's connected to us. I have implemented some if MT's ddos and syn attack procedures on some of my routers that were effected and it appears to of have died down now thank god.
At the moment, my netowork is just mostly a big layer 2 bridge with PPPoE servers only at the edges. Should I create an EOIP tunnel inside a PPTP tunnel and run the backhaul from each PPPoE server back to the core router to avoid broadcast traffic from the other isps?

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_

MVM

If it were me I'd try and put those other ISP connections inside a VLAN that hangs off your core router, each with its own subnet.

That way their traffic is as separated from yours as it possibly can be without dedicated radio links all the way. To me that just feels cleaner.
Bigpaddy_Irl
join:2005-12-12
Ireland

Bigpaddy_Irl

Member

That can be very easily done on my side, and it might just be done within the next 2 days!

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak to Bigpaddy_Irl

Premium Member

to Bigpaddy_Irl
Mikrotik's bridge horizon might work too.

I use it so data on one interface in the PPPoE bridge can enter my core router, but not leave out the other interfaces in the bridge
wirelessdog
join:2008-07-15
Queen Anne, MD

wirelessdog to Bigpaddy_Irl

Member

to Bigpaddy_Irl
Do you have proxy enabled without a firewall rule dropping incoming, outside traffic?