Jump to content
  • 0

dns flood помощ


wowefect
 Share

Question

може ли някой да ми каже как да реша въпроса това чудо :( процесора се смачква от днс флуд :(

flood.jpg

Link to comment
Share on other sites

6 answers to this question

Recommended Posts

  • 1

/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=forward comment="Drop FTP brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add chain=forward content="530 Login incorrect" dst-limit=\
    1/1m,3,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=4w2d chain=forward content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=forward comment="Drop SSH brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
    22,23 in-interface=ether1 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
    22,23 in-interface=ether2 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether1 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether2 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether1 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether2 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether2 protocol=tcp
add action=drop chain=input comment="Drop Winbox brute forcers" \
    src-address-list="Winbox Black List"
add action=add-src-to-address-list address-list="Winbox Black List" \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp src-address-list=\
    "Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Black List" \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp src-address-list=\
    "Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp src-address-list=\
    "Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp src-address-list=\
    "Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp src-address-list=\
    "Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp src-address-list=\
    "Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list="Winbox Stage 1" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp
add action=log chain=input comment="Log invalid connections" \
    connection-state=invalid log-prefix=INVALID
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add chain=input comment=AllowVPN_SSTP dst-port=443 in-interface=ether1 \
    protocol=tcp
add chain=input comment=AllowVPN_L2 dst-port=1701 in-interface=ether1 \
    protocol=udp
add chain=input comment=AllowVPN_L2 dst-port=500 in-interface=ether1 \
    protocol=udp
add chain=input comment=AllowVPN_L2 dst-port=4500 in-interface=ether1 \
    protocol=udp
add chain=input comment=AllowVPN_PPtP disabled=yes dst-port=1723 \
    in-interface=ether1 protocol=tcp
add chain=input comment=AllowVPN_PPtP disabled=yes in-interface=ether1 \
    protocol=gre
add chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp
add chain=input comment="Allow Established connections" connection-state=\
    established
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input in-interface=!ether1 src-address=XX.XX.XX.0/24
add chain=input in-interface=!ether2 src-address=YY.YY.YY.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid protocol=tcp
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
    tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="host unreachable fragmentation required" \
    icmp-options=3:4 protocol=icmp
add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"

Тези правила ползвам основно и нямам проблеми , които и аз имах в началото! На теб ти трябват от правилото за AllowWinBox надолу , а тези нагоре са за мои нужди или малко така оптимизиране, наблюдение и анализ ! А да не забравя че има дублиране на правила заради двата WAN интерфейса! Трябва ти и по горно правило "Drop invalid connection" , като този DNS флуд ще пада на Drop everything else .

Edited by JohnTRIVOLTA
Link to comment
Share on other sites

  • 0

/ip fi fi add action=drop chain=input dst-port=53 in-interface=(входен интерфейс) protocol=udp

  • Like 1
Link to comment
Share on other sites

  • 0
Преди 3 часа, andman написа:

Просто махни отметката Allow Remote Requests

По-скоро да ползва други DNSи , като публичните ню google, opendns. level3dns и т.н.!

Link to comment
Share on other sites

  • 0

ако махне отметката allow remote requests ако клиентите са с статични ип-та ще стане много интересно като спрат да им зареждат страничките :)

Link to comment
Share on other sites

  • 0
  • Administrator
Преди 2 часа, wispnet написа:

ако махне отметката allow remote requests ако клиентите са с статични ип-та ще стане много интересно като спрат да им зареждат страничките :)

ще спрат ако ползват локалния ДНС

ако са с отдалечен ще ползват forward chain-a

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа


ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.