Mikrotik Security
Mikrotik Security
Contact: www.winet.ca 2
3
Integrity
Confidentiality Availability
Network
Security
What Can
We Do?
Types of Attacks
Attacks / Threats
Active Passive
11
Threats
DDoS: Distributed Denial of Service
• DOS Attack is a malicious attempt by a single person or a
group of people to cause the victim, site or node to deny
service to it customers.
DDOS 18
How to detect?
DDOS 19
How to detect?
DDOS 20
How to detect?
CPU
/system resource monitor
DDOS 21
How to detect?
Malicious Connections?
/tool torch
DDOS 22
DDOS : MITIGATION
•Connection Limit
/ip firewall filter
add chain=input protocol=tcp connection-limit=LIMIT,32
action=add-src-to-address-list
address-list=blocked-addr address-list-timeout=1d
DDOS 23
TCP SYN Attack
• TCP SYN flood is a type of Distributed Denial of Service
(DDoS) attack that exploits part of the normal TCP three-way
handshake to consume resources on the targeted server and
render it unresponsive.
• Essentially, with SYN flood DDoS, the offender sends TCP
connection requests faster than the targeted machine can
process them, causing network saturation.
TCP SYN 24
SYN
SYN
SYN
SYN
SYN
SYN
SYN
SYN
SYN
SYN
SYN
SYN
TCP SYN 25
• It’s exhausting a router resource and dropped router’s
performance.
TCP SYN 26
Preventing TCP SYN Attack
• Rate-limiting for each new tcp connection
• Reduce syn-received timer
• And setup tcp syn-cookies
TCP SYN 27
Preventing TCP SYN Attack
• Creating firewall for preventing tcp SYN flood
TCP SYN 28
Preventing TCP SYN Attack
TCP SYN 29
Raw Table Syn-flood Attack
TCP SYN 30
•Target: DHCP servers
•Objective:
• Exhaust all available IP addresses that can be
allocated by the DHCP server.
•Under this attack, legitimate network users can
be denied service.
DHCP Starvation 31
Preventing DHCP Starvation
• Restric the number of MAC addresses on the port of the switch
DHCP Starvation 32
How? Port Security on CRS3xxx
Create a rule to allow the given MAC address and drop all other traffic on
ether1 (for ingress traffic):
DHCP Starvation 33
How? Port Security on CRS3xxx
•Switch all required ports together
•Disable MAC learning
•Disable unknown unicast flooding on ether1
DHCP Starvation 34
Add a static hosts entry for 64:D1:54:81:EF:8E (for egress traffic):
DHCP Starvation 35
DHCP server on a network which is not
under the administrative control of the
network staff
DHCP Rogue 36
OUR TOWER (WISP, HOTSPOT, ETC)
DHCP SERVER
ether2
ether2 Fiber, ether1
Wireless,
Copper
ether3
Rogue Server
DHCP Rogue 37
Solution: DHCP Snooping (6.43+)
• The DHCP Snooping is a Layer2 security feature, that limits
unauthorized DHCP servers from providing a malicious
information to users.
• How?
• In RouterOS you can specify which bridge ports are trusted
(where known DHCP server resides and DHCP messages should
be forwarded) and which are untrusted (usually used for access
ports, received DHCP server messages will be dropped).
DHCP Rogue 38
DHCP Rogue 39
SW1 SW2
/interface bridge
/interface bridge
add name=bridge
add name=bridge
/interface bridge port
/interface bridge port
add bridge=bridge interface=ether1 trusted=yes
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2 trusted=yes
add bridge=bridge interface=ether2 trusted=yes
add bridge=bridge interface=ether3
/interface bridge
/interface bridge
set [find where name="bridge"] dhcp-snooping=yes
set [find where name="bridge"] dhcp-snooping=yes
add-dhcp-option82=yes
add-dhcp-option82=yes
DHCP Rogue 40
UDP Flood
• UDP flood is a type of Denial of Service (DoS) attack in
which the attacker overwhelms random ports on the
targeted host with IP packets containing UDP
datagrams.
UDP Flood 41
UDP Flood 42
How to mitigate UDP Flood Attack
• Disable DNS forwarder on MikroTik if not required.
• If “IP -> DNS” – Allow remote request is enabled, make sure
appropriate filter rule is set to prevent incoming DNS attacks.
• Rate-limiting for each new udp connection.
• Block UDP Traffic from outside
UDP Flood 43
• Disable
“Allow Remote Requests on router“ if not required
UDP Flood 44
• Block dns request “udp/53” traffic from outside
UDP Flood 45
UDP Flood 46
UDP Flood 47
UDP Flood 48
Brute Force Attack
• A Brute Force Attack is the simplest method to gain access to
a site or server (or anything that is password protected). It
tries various combinations of usernames and passwords
again and again until it gets in.
• This repetitive action is like an army attacking a fort.
Brute Force 49
Prevention: Brute Force Attack
• Limit Failed Login Attempts and lock out users with a maximum
number of failed attemps.
• Don’t use a default ports.
• Limit Logins to a Specified IP Address or Range
• Use complex password and change it periodically
Brute Force 50
• Port knocking is a method that enables access to the router
only after receiving a sequenced connection attempts on a set
of “pre-specified” open ports.
Port Knocking 51
PORT-KNOCKING
Port Knocking 52
/ip firewall filter
add action=add-src-to-address-list address-list=“stage1" address-list-timeout=1m
chain=input dst-port=8000 protocol=tcp