Why block at all? I know it’s a loaded question but I always take the approach that customers should be protecting themselves. If they don’t protected themselves and create your network service effecting issues than disconnect them until they sort their stuff out.
Also, in my limited testing with Microtik boxes I found their firewall could easily be used to topple over the router – I wouldn’t put my “core router” in the middle of an attack until I had to … going by memory this was an RB1100 with 25-30 firewall rules – less than 100 Mbs of dirty/malicious traffic and the box was taken offline. This doesn’t make Microtik unique which is part of my point – even easier is inline IPS boxes that are underpowered in the first place. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop Sent: Monday, May 11, 2015 1:02 PM To: af@afmug.com Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik Not me, Michael Gawlowski. We have similar problems, though I block subnets rather than entire countries, typically confirmed as consumer IP addresses before we do so. I manage a router for a local cable company. I can't block every port on their customer's equipment. The random nature of the attacks makes detecting it extremely difficult. I don't have these problems with my network, only the cable company's. ----- Original Message ----- From: Paul Stewart <mailto:p...@paulstewart.org> To: af@afmug.com <mailto:af@afmug.com> Sent: Monday, May 11, 2015 11:14 AM Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik So it sounds like the original poster (Glen I believe it is) is looking to protect equipment that is not his? Why not just firewall access to that equipment specifically or does it still need to be open access? Firewalling by country is really dangerous … if you do this for every country that attacks you, you won’t be talking to the Internet much longer ;) Something adaptive may be much more suggested … as David has one solution for below. If you are protecting SSH access, consider using SSH keys if supported along with fail2ban or other tools … Just some thoughts.. Paul From: Af [mailto:af-boun...@afmug.com] On Behalf Of David Milholen Sent: Monday, May 11, 2015 7:53 AM To: af@afmug.com <mailto:af@afmug.com> Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik I have a perl script that watches are bind logs for Denied queries and places those ips in a list then we add that list to our drop all rule in the gateways for 30days. This is one level we use to prevent poisoning of dns or cash probes. It has seemed to help with a whole bunch of other things as well. On 5/8/2015 3:51 PM, Glen Waldrop wrote: The problem we run into is that those same folks that are attacking our equipment are attacking the equipment behind our routers. It is comparatively simple to secure our routers, not quite as easy to secure everything behind them, stuff that isn't ours. ----- Original Message ----- From: Sean Heskett <mailto:af...@zirkel.us> To: af@afmug.com <mailto:af@afmug.com> Sent: Friday, May 08, 2015 3:33 PM Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik Plus whenever the net neutrality rules kick in it'll be illegal. Shouldn't be necessary if you have your firewalls setup correctly. 2 cents -Sean On Friday, May 8, 2015, Paul Stewart <p...@paulstewart.org <mailto:p...@paulstewart.org> > wrote: Ouch… are you sure you want to do that? I wouldn’t ever tell someone how to run their company or network but you are just hiding in my opinion from the problems you are possibly having. What about Romania for example? I’ve seen a few ISP’s block whole countries and it wasn’t pretty…. People couldn’t email relatives in those countries, couldn’t pull up websites, companies/business customers couldn’t conduct business etc etc…. Just a thought :) Paul From: Af [mailto:af-boun...@afmug.com <javascript:_e(%7B%7D,'cvml','af-boun...@afmug.com');> ] On Behalf Of Michael Gawlowski Sent: Friday, May 8, 2015 3:25 PM To: af@afmug.com <javascript:_e(%7B%7D,'cvml','af@afmug.com');> Subject: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik I have a blocklist of IP’s and CIDR ranges that I would like to add in my mikrotik 1100’s and 2011’s. Two questions: 1) What is the best way to add these without doing one address or subnet at a time? 2) Will there be a significant impact on router performance from adding so many rules in the firewall filter? Most of these routers are expected to handle about 50-150Mbps depending on the model and location. Thank you, Mike Gawlowski Triad Wireless, LLC 4226 S. 37th ST Phoenix, AZ 85040 (602)-426-0542 Triadwireless.net --
