Jump to content
  • 0

dns flood помощ

wowefect

Asked by wowefect,

 Share

Question

wowefect Newbie

wowefect

Posted
Posted

може ли някой да ми каже как да реша въпроса това чудо :( процесора се смачква от днс флуд :(

flood.jpg

Link to comment
Share on other sites

6 answers to this question

Recommended Posts

  • 1
  • Administrator
JohnTRIVOLTA Proficient

JohnTRIVOLTA

Posted
  • Administrator
Posted (edited) 

/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=forward comment="Drop FTP brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add chain=forward content="530 Login incorrect" dst-limit=\
    1/1m,3,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=4w2d chain=forward content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=forward comment="Drop SSH brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
    22,23 in-interface=ether1 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
    22,23 in-interface=ether2 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether1 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether2 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether1 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether2 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether2 protocol=tcp
add action=drop chain=input comment="Drop Winbox brute forcers" \
    src-address-list="Winbox Black List"
add action=add-src-to-address-list address-list="Winbox Black List" \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp src-address-list=\
    "Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Black List" \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp src-address-list=\
    "Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp src-address-list=\
    "Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp src-address-list=\
    "Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp src-address-list=\
    "Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp src-address-list=\
    "Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list="Winbox Stage 1" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp
add action=log chain=input comment="Log invalid connections" \
    connection-state=invalid log-prefix=INVALID
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add chain=input comment=AllowVPN_SSTP dst-port=443 in-interface=ether1 \
    protocol=tcp
add chain=input comment=AllowVPN_L2 dst-port=1701 in-interface=ether1 \
    protocol=udp
add chain=input comment=AllowVPN_L2 dst-port=500 in-interface=ether1 \
    protocol=udp
add chain=input comment=AllowVPN_L2 dst-port=4500 in-interface=ether1 \
    protocol=udp
add chain=input comment=AllowVPN_PPtP disabled=yes dst-port=1723 \
    in-interface=ether1 protocol=tcp
add chain=input comment=AllowVPN_PPtP disabled=yes in-interface=ether1 \
    protocol=gre
add chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp
add chain=input comment="Allow Established connections" connection-state=\
    established
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input in-interface=!ether1 src-address=XX.XX.XX.0/24
add chain=input in-interface=!ether2 src-address=YY.YY.YY.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid protocol=tcp
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
    tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="host unreachable fragmentation required" \
    icmp-options=3:4 protocol=icmp
add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"

Тези правила ползвам основно и нямам проблеми , които и аз имах в началото! На теб ти трябват от правилото за AllowWinBox надолу , а тези нагоре са за мои нужди или малко така оптимизиране, наблюдение и анализ ! А да не забравя че има дублиране на правила заради двата WAN интерфейса! Трябва ти и по горно правило "Drop invalid connection" , като този DNS флуд ще пада на Drop everything else .

Edited by JohnTRIVOLTA
Link to comment
Share on other sites
  • 0
wispnet Newbie

wispnet

Posted
Posted

/ip fi fi add action=drop chain=input dst-port=53 in-interface=(входен интерфейс) protocol=udp

  • Like 1
Link to comment
Share on other sites
  • 0
  • Administrator
JohnTRIVOLTA Proficient

JohnTRIVOLTA

Posted
  • Administrator
Posted
Преди 3 часа, andman написа:

Просто махни отметката Allow Remote Requests

По-скоро да ползва други DNSи , като публичните ню google, opendns. level3dns и т.н.!

Link to comment
Share on other sites
  • 0
wispnet Newbie

wispnet

Posted
Posted

ако махне отметката allow remote requests ако клиентите са с статични ип-та ще стане много интересно като спрат да им зареждат страничките :)

Link to comment
Share on other sites
  • 0
  • Administrator
111111 Rising Star

111111

Posted
  • Administrator
Posted
Преди 2 часа, wispnet написа:

ако махне отметката allow remote requests ако клиентите са с статични ип-та ще стане много интересно като спрат да им зареждат страничките :)

ще спрат ако ползват локалния ДНС

ако са с отдалечен ще ползват forward chain-a

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа

RB951Ui-2HnD / RBD25GR-5HPACQD2HPND&R11E-LTE6 /  RB952Ui-5ac2nD-TC

ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept