Hi there
after entering to the DNS attack business (as the one who is attacked) i think of the following
Can an access list rule be done that will have rule per gateway subnet on the main AMPRNET ROUTER ?
I mean if I have a 44.138.1.x that i will be able to have rules for my subnet as i want ?
I ask it because the firewall rule i have added to the miKrotiK (thanks a lot to the ham who gave me the correct syntax) does the job but the tunnel to UCSD still flud with incoming DNS attack noise of about 500KB/s (of course that the router block them to pass through but if i could stop this attack before they even enter to the tunnel from UCSD to me)
NB i still dont understand what is the point standing behind UDP flood may someone explain me ?
I can understand telnet ftp ssh web attempt but not DNS flood may someone explain it to me ?
one more point I have talked with a friend of myn which his job include networking he have a Fixed IP connected to Cisco ASA Firewall and he doesn't see any DNS attacks in the logs he saw here and there SIP attempts (i see at the 44 Net here also some UDP sip but it is almost 0 comparing the DNS attack) so it look like the DNS is related more to the AMPRNET and not to regular internet
or maybe this is a coincidence
anyway it is something i havent seen on the AMPRNET network we had 20 years ago
Regards
Ronen - 4Z4ZQ
Ronen Pinchooks (4Z4ZQ) WebSitehttp://www.ronen.org/ www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
On Thu, Apr 07, 2016 at 05:03:13PM +0000, R P wrote:
Can an access list rule be done that will have rule per gateway subnet on the main AMPRNET ROUTER ?
No, that's really not practical.
anyway it is something i havent seen on the AMPRNET network we had 20 years ago
Yes, the internet is a very different and more hostile place than it used to be. - Brian
Ronen, it is a coincidence, and it seems "they" also use some fake ampr addresses in those attacks (e.g. your and mine).
On my gw there is almost no DNS activity, still some spurious responses to supposed requests from my hosts bounce back via the tunnel. But I have a lot of port scanning and connection attempts to shh, telnet, pop3 and other ports.
You will need to learn to live with them.
Regarding filtering: You can not filter that traffic on an upstream router, because that router will see that traffic as IPIP from ampr-gw to you. It will not know what's inside the packet, DNS or something else. So the point to drop it is the actual gateway.
As a general rule: drop EVERYTHING and afterwards open only the ports you need.
Basically this is what you need: Input chain: - accept connections with state "new" from your internal interface - accept connections with state "established" or "related" - drop everything else. Output chain: - accept all Forward chain: - accept connections with state "new" from your internal interface if you want access from internal hosts to de outside - accept connections with state "established" or "related" if you want access from internal hosts to de outside - optional: dst-nat to from a specific port to any internal host if you need port forwarding. - drop everything else
This will keep you on the safe side... Later you can start to add rules to suit your needs (these will stay in place forever...).
-----Original Message----- From: R P Sent: Thursday, April 07, 2016 20:03 To: AMPRNet working group Subject: [44net] firewall rules at AMPR.ORG router ?
(Please trim inclusions from previous messages) _______________________________________________ ... NB i still dont understand what is the point standing behind UDP flood may someone explain me ?
I can understand telnet ftp ssh web attempt but not DNS flood may someone explain it to me ?
one more point I have talked with a friend of myn which his job include networking he have a Fixed IP connected to Cisco ASA Firewall and he doesn't see any DNS attacks in the logs he saw here and there SIP attempts (i see at the 44 Net here also some UDP sip but it is almost 0 comparing the DNS attack) so it look like the DNS is related more to the AMPRNET and not to regular internet
or maybe this is a coincidence
anyway it is something i havent seen on the AMPRNET network we had 20 years ago
Regards
Ronen - 4Z4ZQ
Ronen Pinchooks (4Z4ZQ) WebSitehttp://www.ronen.org/ www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com ________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Dear Marius What is the meaning of "new" or "related" ? isnt "new" fall in the category of DNS querry comming from internet to the 44 net ? I refer to the input interface I want to have a Full connectivity to the 44 net host of me from Internet (example now im at work and can gain access the network from work) Thanks Forward Ronen - 4Z4ZQ http://www.ronen.org
________________________________________
Input chain: - accept connections with state "new" from your internal interface - accept connections with state "established" or "related" - drop everything else.
Hello Ronen,
These are firewall "concepts" which talk about the traffic flows themselves "New" would be a new traffic flow coming to your machine and if it should be accepted or not. "Established" is when an existing flow that was previously accepted continues to flow back and forth. "Related" is a concept where one Established traffic flow might request other NEW flows as part of it's required communications. This is common with more complicated protocols like FTP, H.323, SIP, etc. There are other concepts like ALLOW, REJECT, DENY, CHAINS, BLACKHOLE, etc and then other tool concepts like wrappers, tarpit, etc.
Different firewalls might use different terminology but they are all using the same concepts for their layer-2, layer3, and layer4-7 filtering. Check out some of these URLs to understand from a conceptual point of view but when it comes to implementing on your Mikrotik, you'll need to translate a bit for their specific terminology and syntax:
On Linux, we use IPTABLES for our L2 and L3 firewall - https://www.google.com/search?q=iptables+tutorial
FreeBSD uses "pf" - https://www.freebsd.org/doc/handbook/firewalls-pf.html
This is all detailed networking work and deserves some quality study on your part to keep your machine secure on the big, *bad* internet. All fun stuff if you're interested in networking technologies which is common for folks here on the AMPR list.
--David KI6ZHD
Dear David Thank you for the brief explain some of the verbs such as established sound familiar from the days i used to work with Cisco access lists and checkpoint firewall the new command wasn't known to me However if i put accept for new then it will not block anything because every incoming connection considered new so if i put accept new i must put after it (or before it) deny UDP 53 in order to block the DNS queries coming from the internet that part was mising for me ill go to the links you provided and read them as well although i deal with router (hardware) firewall and not unix (software) firewall 73's Ronen - 4Z4ZQ http://www.ronen.org
________________________________________
themselves "New" would be a new traffic flow coming to your machine and if it should be accepted or not. "Established" is when an existing flow that was previously accepted continues to flow back and forth.
On Linux, we use IPTABLES for our L2 and L3 firewall - https://www.google.com/search?q=iptables+tutorial
FreeBSD uses "pf" - https://www.freebsd.org/doc/handbook/firewalls-pf.html
This is all detailed networking work and deserves some quality study on your part to keep your machine secure on the big, *bad* internet. All fun stuff if you're interested in networking technologies which is common for folks here on the AMPR list.
--David KI6ZHD
-
Brian Kantor -
David Ranch -
Marius Petrescu -
R P