The IP address on your upstream interface needs to be able to respond to respond to ICMP and other requests.
10.0.0.0/30 Network 10.0.0.1/30 Their Router 10.0.0.2/30 Your Router 10.0.0.3/30 Broadcast 10.0.0.2 needs to be able to respond to things and the firewall should be blocking it if not otherwise allowed. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Kurt Fankhauser" <lists.wavel...@gmail.com> To: af@afmug.com Sent: Saturday, October 22, 2016 11:24:40 AM Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick Mike, Thank you for sharing this Mikrotik Firewall rule! I was at the WISPPlooza session on internet security and first heard of this spoofing problem and about how you should drop this traffic. I implemented the rule and logged it before I flat out dropped it and just in 60 seconds I was seeing thousands of packets showing up in my Mikrotik Log. Apparently I was being used as a spoof relay. I also noticed a slight decrease in overall traffic going out to my upstream provider. I can not believe how easy it was to implement this rule with Mikrotik. One thing I did not do was add my upstreams /30 BGP address to the allow list. Why should I do that? My BGP is still working without it. On Sat, Oct 22, 2016 at 10:14 AM, Mike Hammett < af...@ics-il.net > wrote: Here's a tested config that works with standard IP Firewall. Once I get a chance, I'll make and test a version that uses raw. /ip firewall address-list add address=x.x.x.x/yy comment="My IPs" list=Public_Networks add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" list=Public_Networks /ip firewall filter add action=drop chain=forward comment="Block Spoofed Traffic" out-interface=[upstream interface] src-address-list=!Public_Networks ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Mike Hammett" < af...@ics-il.net > To: af@afmug.com Sent: Friday, October 21, 2016 12:17:13 PM Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick /ip firewall address-list add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream customer X IPs" /ip firewall filter add action=drop chain=forward comment="Drop spoofed traffic" disabled=no out-interface="To-Upstream" dst-address-list=!"Public-IPs" That was largely composed off of the top of my head and typed on my phone, so it may not be completely accurate. You should also do it on customer-facing ports not allowing anything to come in, but that would be best approached once Mikrotik and the per interface setting for unicast reverse path filtering. You would then said customer facing interfaces to strict and all other interfaces to loose. They accepted the feature request, just haven't implemented it yet. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Mike Hammett" < af...@ics-il.net > To: af@afmug.com Sent: Friday, October 21, 2016 11:21:35 AM Subject: [AFMUG] Another large DDoS, Stop Being a Dick There's another large DDoS going on now. Go to this page to see if you can be used for UDP amplification (or other spoofing) attacks: https://www.caida.org/projects/spoofer/ Go to these pages for more longer term bad behavior monitoring: https://www.shadowserver.org/wiki/ https://radar.qrator.net/ Maybe we need to start a database of ASNs WISPs are using and start naming and shaming them when they have bad actors on their network. This is serious, people. Take it seriously. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP
