Career

Computer Systems & Network Engineer.

Software developer

Winet Canada: Master Distributor

Mikrotik Certified Trainer

Certifications:
MTCNA – MTCRE – MTCSE – MTCTCE
MTCUME – MTCWE - Trainer
CompTIA Network+, Security+

Contact: www.winet.ca 2
3
 Integrity

Confidentiality Availability

Network
Security
What Can
We Do?
Types of Attacks
Attacks / Threats

Active Passive

Interruption Modification Fabrication Interception

11
Threats
DDoS: Distributed Denial of Service
• DOS Attack is a malicious attempt by a single person or a
group of people to cause the victim, site or node to deny
service to it customers.

• DoS = when a single host attacks

• DDoS = when multiple hosts attack simultaneously

DDOS 18
How to detect?

Are there too many connections with SYN-SENT

state?

/ip firewall connection print

DDOS 19
How to detect?

High traffic (pps) passing through any interface?

/interface monitor-traffic interface_name

DDOS 20
How to detect?
CPU
/system resource monitor

DDOS 21
How to detect?

Malicious Connections?

/tool torch
DDOS 22
 DDOS : MITIGATION
•Connection Limit
/ip firewall filter
add chain=input protocol=tcp connection-limit=LIMIT,32
action=add-src-to-address-list
address-list=blocked-addr address-list-timeout=1d

DDOS 23
TCP SYN Attack
• TCP SYN flood is a type of Distributed Denial of Service
(DDoS) attack that exploits part of the normal TCP three-way
handshake to consume resources on the targeted server and
render it unresponsive.
• Essentially, with SYN flood DDoS, the offender sends TCP
connection requests faster than the targeted machine can
process them, causing network saturation.

TCP SYN 24
 SYN
SYN
SYN
SYN
SYN
SYN
SYN
SYN
SYN
SYN
SYN
SYN

TCP SYN 25
 • It’s exhausting a router resource and dropped router’s
performance.

TCP SYN 26
Preventing TCP SYN Attack
• Rate-limiting for each new tcp connection
• Reduce syn-received timer
• And setup tcp syn-cookies

TCP SYN 27
Preventing TCP SYN Attack
• Creating firewall for preventing tcp SYN flood

/ip firewall filter

add action=jump chain=forward comment="SYN Flood protect FORWARD" connection-state=new jump-
target=syn-attack protocol=tcp tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect INPUT" connection-state=new jump-
target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=syn-attack connection-state=new limit=400,5:packet protocol=tcp tcp- flags=syn
add action=drop chain=syn-attack connection-state=new protocol=tcp tcp-flags=syn

TCP SYN 28
Preventing TCP SYN Attack

• IP > Settings and enable “TCP

SynCookies”

/ip settings set tcp-syncookies=yes

TCP SYN 29
Raw Table Syn-flood Attack

/ip firewall raw

chain=input action=drop tcp-flags=syn protocol=tcp

TCP SYN 30
 •Target: DHCP servers
•Objective:
• Exhaust all available IP addresses that can be
allocated by the DHCP server.
•Under this attack, legitimate network users can
be denied service.

DHCP Starvation 31
 Preventing DHCP Starvation
• Restric the number of MAC addresses on the port of the switch

DHCP Starvation 32
 How? Port Security on CRS3xxx
Create a rule to allow the given MAC address and drop all other traffic on
ether1 (for ingress traffic):

/interface ethernet switch rule

add ports=ether1 src-mac-address= AA:BB:CC:DD:EE:FF /FF:FF:FF:FF:FF:FF switch=switch1
add new-dst-ports="" ports=ether1 switch=switch1

DHCP Starvation 33
 How? Port Security on CRS3xxx
•Switch all required ports together
•Disable MAC learning
•Disable unknown unicast flooding on ether1

/interface bridge add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes learn=no unknown-unicast-flood=no
add bridge=bridge1 interface=ether2 hw=yes

DHCP Starvation 34
 Add a static hosts entry for 64:D1:54:81:EF:8E (for egress traffic):

/interface bridge host

add bridge=bridge1 interface=ether1 mac-address=AA:BB:CC:DD:EE:FF

DHCP Starvation 35
DHCP server on a network which is not
under the administrative control of the
network staff

DHCP Rogue 36
 OUR TOWER (WISP, HOTSPOT, ETC)

DHCP SERVER
ether2
ether2 Fiber, ether1
Wireless,
Copper
ether3

Rogue Server

DHCP Rogue 37
Solution: DHCP Snooping (6.43+)
• The DHCP Snooping is a Layer2 security feature, that limits
unauthorized DHCP servers from providing a malicious
information to users.
• How?
• In RouterOS you can specify which bridge ports are trusted
(where known DHCP server resides and DHCP messages should
be forwarded) and which are untrusted (usually used for access
ports, received DHCP server messages will be dropped).

DHCP Rogue 38
DHCP Rogue 39
SW1 SW2
/interface bridge
/interface bridge
add name=bridge
add name=bridge
/interface bridge port
/interface bridge port
add bridge=bridge interface=ether1 trusted=yes
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2 trusted=yes
add bridge=bridge interface=ether2 trusted=yes
add bridge=bridge interface=ether3
/interface bridge
/interface bridge
set [find where name="bridge"] dhcp-snooping=yes
set [find where name="bridge"] dhcp-snooping=yes
add-dhcp-option82=yes
add-dhcp-option82=yes

DHCP Rogue 40
UDP Flood
• UDP flood is a type of Denial of Service (DoS) attack in
which the attacker overwhelms random ports on the
targeted host with IP packets containing UDP
datagrams.

UDP Flood 41
UDP Flood 42
How to mitigate UDP Flood Attack
• Disable DNS forwarder on MikroTik if not required.
• If “IP -> DNS” – Allow remote request is enabled, make sure
appropriate filter rule is set to prevent incoming DNS attacks.
• Rate-limiting for each new udp connection.
• Block UDP Traffic from outside

UDP Flood 43
• Disable
“Allow Remote Requests on router“ if not required

UDP Flood 44
• Block dns request “udp/53” traffic from outside

/interface list add name=WAN

/interface list member add interface=ether3-internet list=WAN

/ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface-list=WAN

protocol=udp

UDP Flood 45
UDP Flood 46
UDP Flood 47
UDP Flood 48
Brute Force Attack
• A Brute Force Attack is the simplest method to gain access to
a site or server (or anything that is password protected). It
tries various combinations of usernames and passwords
again and again until it gets in.
• This repetitive action is like an army attacking a fort.

Brute Force 49
Prevention: Brute Force Attack
• Limit Failed Login Attempts and lock out users with a maximum
number of failed attemps.
• Don’t use a default ports.
• Limit Logins to a Specified IP Address or Range
• Use complex password and change it periodically

Brute Force 50
• Port knocking is a method that enables access to the router
only after receiving a sequenced connection attempts on a set
of “pre-specified” open ports.

• Once the correct sequence of the connection attempts is

received, the RouterOS dynamically adds a host source IP to
the allowed address list and You will be able to connect your
router.

Port Knocking 51
 PORT-KNOCKING

Port Knocking 52
/ip firewall filter
add action=add-src-to-address-list address-list=“stage1" address-list-timeout=1m
chain=input dst-port=8000 protocol=tcp

add action=add-src-to-address-list address-list=“stage2" address-list-timeout=1m

chain=input dst-port=7000 protocol=tcp src-address-list=“stage1"

add action=add-src-to-address-list address-list=“allowed" address-list-timeout=30m

chain=input dst-port=6000 protocol=tcp src-address-list=“stage2"

add chain=input src-address-list=allowed action=accept

add action=drop chain=input
Questions?
54