I actually worked with ATT tech support to open up some ports for NVR... They were pretty good and client has app on phone with alerts on door sensors connected to cameras. Different subnet from his network... Hope it doesn't get hacked...
On Oct 22, 2016 10:33 AM, "Mike Hammett" <af...@ics-il.net> wrote: > The IP address on your upstream interface needs to be able to respond to > respond to ICMP and other requests. > > > 10.0.0.0/30 Network > 10.0.0.1/30 Their Router > 10.0.0.2/30 Your Router > 10.0.0.3/30 Broadcast > > > 10.0.0.2 needs to be able to respond to things and the firewall should be > blocking it if not otherwise allowed. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"Kurt Fankhauser" <lists.wavel...@gmail.com> > *To: *af@afmug.com > *Sent: *Saturday, October 22, 2016 11:24:40 AM > *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick > > Mike, > > Thank you for sharing this Mikrotik Firewall rule! I was at the WISPPlooza > session on internet security and first heard of this spoofing problem and > about how you should drop this traffic. I implemented the rule and logged > it before I flat out dropped it and just in 60 seconds I was seeing > thousands of packets showing up in my Mikrotik Log. Apparently I was being > used as a spoof relay. I also noticed a slight decrease in overall traffic > going out to my upstream provider. I can not believe how easy it was to > implement this rule with Mikrotik. One thing I did not do was add my > upstreams /30 BGP address to the allow list. Why should I do that? My BGP > is still working without it. > > On Sat, Oct 22, 2016 at 10:14 AM, Mike Hammett <af...@ics-il.net> wrote: > >> Here's a tested config that works with standard IP Firewall. Once I get a >> chance, I'll make and test a version that uses raw. >> >> /ip firewall address-list >> add address=x.x.x.x/yy comment="My IPs" list=Public_Networks >> add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks >> add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" >> list=Public_Networks >> >> /ip firewall filter >> add action=drop chain=forward comment="Block Spoofed Traffic" >> out-interface=[upstream interface] src-address-list=!Public_Networks >> >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"Mike Hammett" <af...@ics-il.net> >> *To: *af@afmug.com >> *Sent: *Friday, October 21, 2016 12:17:13 PM >> *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick >> >> /ip firewall address-list >> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" >> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream >> customer X IPs" >> >> /ip firewall filter >> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no >> out-interface="To-Upstream" dst-address-list=!"Public-IPs" >> >> That was largely composed off of the top of my head and typed on my >> phone, so it may not be completely accurate. >> >> >> You should also do it on customer-facing ports not allowing anything to >> come in, but that would be best approached once Mikrotik and the per >> interface setting for unicast reverse path filtering. You would then said >> customer facing interfaces to strict and all other interfaces to loose. >> They accepted the feature request, just haven't implemented it yet. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"Mike Hammett" <af...@ics-il.net> >> *To: *af@afmug.com >> *Sent: *Friday, October 21, 2016 11:21:35 AM >> *Subject: *[AFMUG] Another large DDoS, Stop Being a Dick >> >> There's another large DDoS going on now. Go to this page to see if you >> can be used for UDP amplification (or other spoofing) attacks: >> >> https://www.caida.org/projects/spoofer/ >> >> Go to these pages for more longer term bad behavior monitoring: >> >> https://www.shadowserver.org/wiki/ >> https://radar.qrator.net/ >> >> >> Maybe we need to start a database of ASNs WISPs are using and start >> naming and shaming them when they have bad actors on their network. This is >> serious, people. Take it seriously. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> >> >> >> > >
