Bad-host-detection

Bad-host-detection
Attempt to detect and Block Bad Hosts
Network administrators are in a constant battle trying to keep attacks from virus infected computers, computers that have been taken over by malicious people and malicious people them selfs. It's a never ending barrage of attacks trying to exploit any flaw in your network possible. I keep a list of hosts/networks that I consider to be "bad-hosts", this is a manual built list and it works great but I don't always have time to sit and watch for candidates for this list, so I created a set of rules to do it for me. Description When a packet reaches the bottom of the forward chain it will be rejected, so before it is we will run it through this set of rules. 1. The ip address is added to a address list with life span of 30 seconds 2. if the ip address is then seen 20 more times in this 30 second span it is then added to another list that will have a life span of 24 hours 3. if it is in the 24 hour list it will be rejected.

Process Flowchart

Here is some names I will be using. Address Lists our-networks (ip's/networks in this list are not included in this process, we don't want to block our own traffic.) 30-second-list (this list holds ip's for 30 seconds) 24-hour-list (the ip's in this list have a life span of 24 hours. Ip's in this list are rejected) bogons (bogons are non route able ip's such as 192.168.0.0/16) Filter Chains bad-host-detection (this is the main chain for this process) open-customers (this chain checks for customers/bussiness that don't want my help firewalling) bad-hosts (this chain checks a manual created list that contains hosts/networks that appear to be bad)

Bad-host-detection Process Step 1

Rule to add in the forward chain:
add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list

Make sure this rule is at the top of your forward chain, This is what my top 3 forward chain rules are:
add action=jump chain=forward comment="Check if dest is an open customer" disabled=no dst-address-list=open-customers jump-target=open-customers add action=jump chain=forward comment="Check Known Bad Hosts" disabled=no jump-target=bad-hosts add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list

1. If on exclusion list permit (Some customers/business do not want me to firewall anything for them) 2. I also have a manual list of host I block that I check 3. Now drop anyone on the one day list

Step 2
The bad-host-detection chain:
add action=return chain=bad-host-detection comment="Take no action on bogons" disabled=no src-address-list=bogons add action=add-src-to-address-list address-list=30-seond-list address-list-timeout=30s chain=bad-host-detection comment="Add to the 30 second list" disabled=no add action=add-src-to-address-list address-list=24-hour-list address-list-timeout="1d 00:00:00" chain=bad-host-detection comment="If seen 20 time in 30 seconds add to the one day block list" disabled=no nth=20,0 src-address-list=30-seond-list add action=return chain=bad-host-detection comment="" disabled=no

1. 2. 3. 4.

Take no action/return if the host in in the bogons address list Add the ip to the 30 second list If ip has been seen 20 time in 30 seconds add to the 24-hour-list Return to the calling filter chain This is a small rule set, and could be put directly in the forward chain but over time exclusion and other detection rules could be put here as well.

Step 3
More rule's for the forward chain:
add action=jump chain=forward comment="jump to the bad-host-detection chain" disabled=no jump-target=bad-host-detection src-address-list=!our-networks

This rule needs to be at the bottom just before the packet is dropped, once again here is how I have mine (my last 3 forward rules)
add action=jump chain=forward comment="jump to the bad-host-detection chain" disabled=no jump-target=bad-host-detection src-address-list=!our-networks add action=log chain=forward comment="log and reject the rest" disabled=no log-prefix="" add action=reject chain=forward comment="" disabled=no reject-with=icmp-network-unreachable

Bad-host-detection

1. Check for bad attempt, if the source address is not in the our-networks address list 2. Log the packet 3. Drop the packet

Notes The list's in this process can get very large and your router must be capable of handling them. If you have a problem with lists sizes, reducing the timeout will reduce the size of the list. 20 rejected attempts in 30 seconds is what I believe is sufficient evidence of an attack, you may adjust them to your liking. This rule set could also be used in the input chain. Other Ideas Using the API to keep an eye on the list's count would be a good idea. Maybe even condense it into subnets. Another idea is to use the API and create a chart showing where the "bad hosts" are coming from.

Article Sources and Contributors

Article Sources and Contributors

Bad-host-detection Source: http://wiki.mikrotik.com/index.php?oldid=9281 Contributors: Xinu

Image Sources, Licenses and Contributors

Image:Bad-host-detection.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Bad-host-detection.jpg License: unknown Contributors: Xinu