ok I added the /30 on my upstream to the allow list On Sat, Oct 22, 2016 at 12:33 PM, Mike Hammett <af...@ics-il.net> wrote:
> The IP address on your upstream interface needs to be able to respond to > respond to ICMP and other requests. > > > 10.0.0.0/30 Network > 10.0.0.1/30 Their Router > 10.0.0.2/30 Your Router > 10.0.0.3/30 Broadcast > > > 10.0.0.2 needs to be able to respond to things and the firewall should be > blocking it if not otherwise allowed. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"Kurt Fankhauser" <lists.wavel...@gmail.com> > *To: *af@afmug.com > *Sent: *Saturday, October 22, 2016 11:24:40 AM > *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick > > Mike, > > Thank you for sharing this Mikrotik Firewall rule! I was at the WISPPlooza > session on internet security and first heard of this spoofing problem and > about how you should drop this traffic. I implemented the rule and logged > it before I flat out dropped it and just in 60 seconds I was seeing > thousands of packets showing up in my Mikrotik Log. Apparently I was being > used as a spoof relay. I also noticed a slight decrease in overall traffic > going out to my upstream provider. I can not believe how easy it was to > implement this rule with Mikrotik. One thing I did not do was add my > upstreams /30 BGP address to the allow list. Why should I do that? My BGP > is still working without it. > > On Sat, Oct 22, 2016 at 10:14 AM, Mike Hammett <af...@ics-il.net> wrote: > >> Here's a tested config that works with standard IP Firewall. Once I get a >> chance, I'll make and test a version that uses raw. >> >> /ip firewall address-list >> add address=x.x.x.x/yy comment="My IPs" list=Public_Networks >> add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks >> add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" >> list=Public_Networks >> >> /ip firewall filter >> add action=drop chain=forward comment="Block Spoofed Traffic" >> out-interface=[upstream interface] src-address-list=!Public_Networks >> >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"Mike Hammett" <af...@ics-il.net> >> *To: *af@afmug.com >> *Sent: *Friday, October 21, 2016 12:17:13 PM >> *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick >> >> /ip firewall address-list >> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" >> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream >> customer X IPs" >> >> /ip firewall filter >> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no >> out-interface="To-Upstream" dst-address-list=!"Public-IPs" >> >> That was largely composed off of the top of my head and typed on my >> phone, so it may not be completely accurate. >> >> >> You should also do it on customer-facing ports not allowing anything to >> come in, but that would be best approached once Mikrotik and the per >> interface setting for unicast reverse path filtering. You would then said >> customer facing interfaces to strict and all other interfaces to loose. >> They accepted the feature request, just haven't implemented it yet. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"Mike Hammett" <af...@ics-il.net> >> *To: *af@afmug.com >> *Sent: *Friday, October 21, 2016 11:21:35 AM >> *Subject: *[AFMUG] Another large DDoS, Stop Being a Dick >> >> There's another large DDoS going on now. Go to this page to see if you >> can be used for UDP amplification (or other spoofing) attacks: >> >> https://www.caida.org/projects/spoofer/ >> >> Go to these pages for more longer term bad behavior monitoring: >> >> https://www.shadowserver.org/wiki/ >> https://radar.qrator.net/ >> >> >> Maybe we need to start a database of ASNs WISPs are using and start >> naming and shaming them when they have bad actors on their network. This is >> serious, people. Take it seriously. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> >> >> >> > >
