I'll get the info tomorrow and get back to you. It is mostly Cisco and SMC. 
Might be related to the DNS rebind hack. 

When I set the edge to drop invalid packets the problems got better. We've 
watched some UDP and TCP traffic on random ports from random addresses to the 
cable modems in question while they were having connection problems.


  ----- Original Message ----- 
  From: Paul Stewart 
  To: af@afmug.com 
  Sent: Monday, May 11, 2015 8:04 PM
  Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik


  What make if you don’t mind me asking?  Any details you can share…

   

  Totally curious of details – at $$$job we have quite a number of customers on 
cable modem and always good to know if there’s a problem out there… 

   

  Thanks,

  Paul

   

   

  From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop
  Sent: Monday, May 11, 2015 8:45 PM
  To: af@afmug.com
  Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

   

  They only have one public IP per customer.

  The dummie cable modems have an internal IP and pass the public through to 
the customer. These are wireless routers with a cable modem built in. Those 
have public IP addresses and the hackers are going crazy on them. Always 
something new.

   

   

    ----- Original Message ----- 

    From: Mike Hammett 

    To: af@afmug.com 

    Sent: Monday, May 11, 2015 4:21 PM

    Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

     

    One public IP per customer...



    -----
    Mike Hammett
    Intelligent Computing Solutions
    http://www.ics-il.com



    Midwest Internet Exchange
    http://www.midwest-ix.com




----------------------------------------------------------------------------

    From: "Glen Waldrop" <gwl...@cngwireless.net>
    To: af@afmug.com
    Sent: Monday, May 11, 2015 4:18:31 PM
    Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

     

    The cable modems have an internal address, but they get the ones with 
routers built in. Those have a public IP.

    I keep telling him that we could NAT 90% of his customers and cut this 
problem down as well as free up a sizable chunk of IP addresses.

     

     

      ----- Original Message ----- 

      From: Paul Stewart 

      To: af@afmug.com 

      Sent: Monday, May 11, 2015 4:12 PM

      Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

       

      Usually management for cable modems is on a private network that isn’t 
Internet accessible…. Sounds strange….

       

      From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop
      Sent: Monday, May 11, 2015 5:08 PM
      To: af@afmug.com
      Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

       

      Script kiddies are attacking the cable modems. If bossman would follow my 
recommenation and give them dumbie modems and let the customer deal with the 
router, they'd be fine, it would be the customer's problem and I'd likely get 
the call to go out and secure their personal router if they managed to 
successfully hack it.

      We've got Cisco and SMC scratching their heads on this.

       

       

        ----- Original Message ----- 

        From: Paul Stewart 

        To: af@afmug.com 

        Sent: Monday, May 11, 2015 2:02 PM

        Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

         

        Why block at all?  I know it’s a loaded question but I always take the 
approach that customers should be protecting themselves.  If they don’t 
protected themselves and create your network service effecting issues than 
disconnect them until they sort their stuff out.

         

        Also, in my limited testing with Microtik boxes I found their firewall 
could easily be used to topple over the router – I wouldn’t put my “core 
router” in the middle of an attack until I had to … going by memory this was an 
RB1100 with 25-30 firewall rules – less than 100 Mbs of dirty/malicious traffic 
and the box was taken offline.  This doesn’t make Microtik unique which is part 
of my point – even easier is inline IPS boxes that are underpowered in the 
first place.

         

        From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop
        Sent: Monday, May 11, 2015 1:02 PM
        To: af@afmug.com
        Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

         

        Not me, Michael Gawlowski.

        We have similar problems, though I block subnets rather than entire 
countries, typically confirmed as consumer IP addresses before we do so.

        I manage a router for a local cable company. I can't block every port 
on their customer's equipment. The random nature of the attacks makes detecting 
it extremely difficult.

        I don't have these problems with my network, only the cable company's.

         

         

         

         

         

          ----- Original Message ----- 

          From: Paul Stewart 

          To: af@afmug.com 

          Sent: Monday, May 11, 2015 11:14 AM

          Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

           

          So it sounds like the original poster (Glen I believe it is) is 
looking to protect equipment that is not his?  Why not just firewall access to 
that equipment specifically or does it still need to be open access?

           

          Firewalling by country is really dangerous … if you do this for every 
country that attacks you, you won’t be talking to the Internet much longer ;)

           

          Something adaptive may be much more suggested … as David has one 
solution for below.

           

          If you are protecting SSH access, consider using SSH keys if 
supported along with fail2ban or other tools …

           

          Just some thoughts..

          Paul

           

           

          From: Af [mailto:af-boun...@afmug.com] On Behalf Of David Milholen
          Sent: Monday, May 11, 2015 7:53 AM
          To: af@afmug.com
          Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

           

          I have a perl script that watches are bind logs for Denied queries 
and places those ips in a list then we add that list 
          to our drop all rule in the gateways for 30days. This is one level we 
use to prevent poisoning of dns or cash probes.
          It has seemed to help with a whole bunch of other things as well.

          On 5/8/2015 3:51 PM, Glen Waldrop wrote:

            The problem we run into is that those same folks that are attacking 
our equipment are attacking the equipment behind our routers.

            It is comparatively simple to secure our routers, not quite as easy 
to secure everything behind them, stuff that isn't ours.

             

             

              ----- Original Message ----- 

              From: Sean Heskett 

              To: af@afmug.com 

              Sent: Friday, May 08, 2015 3:33 PM

              Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

               

              Plus whenever the net neutrality rules kick in it'll be illegal. 

               

              Shouldn't be necessary if you have your firewalls setup correctly.

               

              2 cents

               

              -Sean



              On Friday, May 8, 2015, Paul Stewart <p...@paulstewart.org> wrote:

                Ouch… are you sure you want to do that?  I wouldn’t ever tell 
someone how to run their company or network but you are just hiding in my 
opinion from the problems you are possibly having.  What about Romania for 
example?

                 

                I’ve seen a few ISP’s block whole countries and it wasn’t 
pretty…. People couldn’t email relatives in those countries, couldn’t pull up 
websites, companies/business customers couldn’t conduct business etc etc….

                 

                Just a thought J

                 

                Paul

                 

                 

                From: Af [mailto:af-boun...@afmug.com] On Behalf Of Michael 
Gawlowski
                Sent: Friday, May 8, 2015 3:25 PM
                To: af@afmug.com
                Subject: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

                 

                I have a blocklist of IP’s and CIDR ranges that I would like to 
add in my mikrotik 1100’s and 2011’s.  Two questions:

                 

                1)      What is the best way to add these without doing one 
address or subnet at a time?

                2)      Will there be a significant impact on router 
performance from adding so many rules in the firewall filter?  Most of these 
routers are expected to handle about 50-150Mbps depending on the model and 
location. 

                 

                Thank you,

                 

                Mike Gawlowski

                Triad Wireless, LLC

                4226 S. 37th ST

                Phoenix, AZ 85040

                (602)-426-0542

                Triadwireless.net

                 

           

          -- 


     

Reply via email to