dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2120
share rss forum feed

Bigpaddy_Irl

join:2005-12-12
Ireland

Mikrotik router being attacked - I think?

Hi guys,
one of my pppoe servers which is a 750up is acting odd.
I have 40+ pppoe clients connected to ether2 which has the pppoe server running on it.
Looking at interfaces I can see all the clients connected which are hardly transferring any traffic at the moment, but still up at the top of interfaces it tells me that there is 9Mb being recieved with over 4000 pps on this interface.
On doing a torch, I can see ipv6 ips and private ips which are not on my network generating this traffic. IGMP seems to be the protocol being used mostly to generate this traffic.

This is causing my pppoe clients to drop their connections and experience very slow throughput.

i have created a rule for each of the rouge ips to drop their connections, this has helped a bit by reducing throughput its using and pps, but it does not stop them completely.

Any ideas guys?



Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2

Do you route or bridge your CPEs?

The traffic coming in it sounds like its on that PPPoE interface?
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca


Bigpaddy_Irl

join:2005-12-12
Ireland

unless the customer wants a public ip, we just leave the cpe in router mode. If they want an ip we bridge them to the PPPoE server and let their own router do the pppoe.

Yes this traffic was generated on the PPPoE interface.
In the meantime, I enabled client isolation on the AP and that seems to have done the trick for me.



Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2

said by Bigpaddy_Irl:

unless the customer wants a public ip, we just leave the cpe in router mode. If they want an ip we bridge them to the PPPoE server and let their own router do the pppoe.

Yes this traffic was generated on the PPPoE interface.
In the meantime, I enabled client isolation on the AP and that seems to have done the trick for me.

Yes! Client isolation should be used always! Unless you have a need for clients to be able to talk to each other without going thru your core router, (YUK!)
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca


Rhaas
Premium
join:2005-12-19
Bernie, MO
reply to Bigpaddy_Irl

If it is IGMP it's likely to be a bad/misconfigured device.

Can you post a screen shot of torch?
--
I survived Hale-Bopp!


Bigpaddy_Irl

join:2005-12-12
Ireland
reply to Inssomniak

Click for full size
pppoe server
You know what they say...."a picture paints a thousand words!"

What is wrong with this picture? Ether1 is the wan of the pppoe server and ether3 and 4 go to each rocket ap.
3 and 4 are bridged to the pppoe server.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

What are the source/destination IPs, ports, protocol numbers of all that traffic, because simple figures dont really tell much of a story other than "theres a lot of traffic."

Need to know what type of traffic.


Bigpaddy_Irl

join:2005-12-12
Ireland

Click for full size
howdy Tom!
Here is a screen shot of the wan port protocols being used.
I dont know where that 20Mb of traffic is coming from because when I took that, ether 3 and 4 combined were not pulling 10Mb between them.


Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2

Cant tell in that picture but perhaps 4.4 megabits of UDP there is a DDoS or DoS attack?

Collect the DST address and you can see the target IP.

Tough to stop those unless you talk to your upstream.
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to Bigpaddy_Irl

What about source/dest IPs, and perhaps port numbers?

If you find a particular pattern you might be able to track down something/someone in your network, or outside of it.

If its outside, and you have the appropriate source/dest IPs and port number(s) (and in particular if you have no reason to believe that traffic is legit), you could go to your upstream and ask the to block that traffic. If you can tell them exactly what you need a block for, youre more likely to get some help.

On the other hand, you might find this a pertinent time to apply some ingress/egress filters at your edges facing the Internet.

e.g. blocking all but unnecessary incoming traffic (i.e. ICMP) from the internet destined for infrastructure IPs (because no one on the internet at large should be trying to talk to your infrastructure) and only permitting incoming traffic to legitimate IPs, and blocking any outgoing traffic that isnt from a legitimate IP on your network.

BCP 38 and 46, and in some respects 84, provide some good information about filtering at your edges to protect your network and stop the spread of certain DOS traffic.

»tools.ietf.org/html/bcp38
»tools.ietf.org/html/bcp46
»tools.ietf.org/html/bcp84


Bigpaddy_Irl

join:2005-12-12
Ireland

The funny thing is that a lot of the ip's that I can see are actually belonging to 2 other isp's connected to us. I have implemented some if MT's ddos and syn attack procedures on some of my routers that were effected and it appears to of have died down now thank god.
At the moment, my netowork is just mostly a big layer 2 bridge with PPPoE servers only at the edges. Should I create an EOIP tunnel inside a PPTP tunnel and run the backhaul from each PPPoE server back to the core router to avoid broadcast traffic from the other isps?



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

If it were me I'd try and put those other ISP connections inside a VLAN that hangs off your core router, each with its own subnet.

That way their traffic is as separated from yours as it possibly can be without dedicated radio links all the way. To me that just feels cleaner.


Bigpaddy_Irl

join:2005-12-12
Ireland

That can be very easily done on my side, and it might just be done within the next 2 days!



Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2
reply to Bigpaddy_Irl

Mikrotik's bridge horizon might work too.

I use it so data on one interface in the PPPoE bridge can enter my core router, but not leave out the other interfaces in the bridge
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca


wirelessdog

join:2008-07-15
Queen Anne, MD
kudos:1
reply to Bigpaddy_Irl

Do you have proxy enabled without a firewall rule dropping incoming, outside traffic?