Как победить флуд запросов к DNS Googl'а?

Question

[V A]

Всем Привет!
Столкнулся с блокировкой моей сети гуглом.

Обнаружил большое кол-во запросов и соединений от моего внешнего IP к 8.8.8.8 и к 8.8.4.4 (они прописаны у меня в MikroTik как DNS серверы)

Проц Mikrotik летит до нагрузки в 95%

Answer 1

[Mystray]

Закрыть рекурсивный DNS не из своей сети. Примерно так:
https://support.aa.net.uk/Stopping_Open_DNS_-_MikroTik
И проверить тут
openresolver.com

Comments

[V A]

Спасибо, на ваш взгляд это самое лаконичное решение?

[V A]

так у меня запросы изнутри идут, от моего IP, запросы извне я заблочил

[Mystray]

V A: Уверены? даю 99,9% - где-то перепутали с порядком правил или названием интерфейса и ваш микротик таки используют для ддоса снаружи.
Есть, конечно, еще вариант, что тот же зомби из ботнета обосновался и в локалке, тогда надо найти, какой из компов генерирует такую нагрузку, найти и пристре^W вылечить.
Найти можно, например, запустить tool->torch на локальном интерфейсе, отфильтровав 53 порт, кто будет в топ по запросам (если их действительно МНОГО) - тот и носитель заразы.

[V A]

Mystray: спасибо, создано правило
action=drop
chain=input
dst.adress=внешний айпи сети
dst port=53

за 15 минут насыпалось 10MiB

[V A]

Mystray: Проснифил пакеты нашел имена доменов
cpsc.gov
067.cz

[V A]

295 0.905319 66.203.182.120 мой айпи DNS 79 Standard query 0x2051 ANY cpsc.gov OPT

[V A]

все равно от 80 до 100 нагрузка

[Mystray]

V A: правило, которое блочит, надеюсь, в самом верху списка находится?

[V A]

Mystray: да

[V A]

Mystray: Все равно, изнутри с моего адреса флудит на 8.8.8.8 / 8.8.4.4
с портами
my.ip.ad.ress:30000 до my.ip.ad.ress:60000

[Mystray]

V A: показывайте
/ip firewall export compact
/interface export compact

[V A]

Mystray:

[admin@MikroTik] > /ip firewall export compact
# jun/06/2016 13:21:09 by RouterOS 6.32.3
# software id = 9927-HJ54
#
/ip firewall address-list
add address=173.194.220.198 disabled=yes list=net1
add address=31.13.92.10 disabled=yes list=net2
add address=192.168.1.118 disabled=yes list=2
add address=192.168.1.229 disabled=yes list=2
add address=192.168.1.127 disabled=yes list=2
add address=192.168.1.231 disabled=yes list=2
add address=192.168.1.232 disabled=yes list=2
add address=192.168.1.134 disabled=yes list=2
add address=192.168.1.183 disabled=yes list=2
add address=192.168.1.163 disabled=yes list=2
/ip firewall connection tracking
set enabled=yes generic-timeout=5m icmp-timeout=5m10s tcp-close-timeout=10m10s tcp-established-timeout=14h10s tcp-time-wait-timeout=10m10s udp-timeout=3m
/ip firewall filter
add action=drop chain=input dst-address=ВНЕШНИЙ_АЙПИ dst-port=53 in-interface=ether1-gateway protocol=udp
add action=add-src-to-address-list address-list="dns flood" address-list-timeout=1h chain=input comment="\F3\E1\E8\F0\E0\E5\EC \F4\EB\F3\E4 \E8\E7\ED\F3\F2\F0\E8 \E8 \F1\ED\E0\F0\F3\E6\E8 53port" disabled=yes dst-port=53 in-interface=ether1-gateway \
    protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether1-gateway protocol=udp src-address-list="dns flood"
add action=drop chain=output comment="\EF\F0\E0\E2\E8\EB\E0 \E4\F0\EE\EF \F4\EB\F3\E4 53" disabled=yes dst-address=8.8.8.8 dst-port=53 protocol=udp src-address=ВНЕШНИЙ_АЙПИ
add action=drop chain=output comment="\EF\F0\E0\E2\E8\EB\E0 \E4\F0\EE\EF \F4\EB\F3\E4 53 (\F3\F1\F2\E0\F0\E5\E2\F8\E8\E5)" dst-address=8.8.4.4 dst-port=53 protocol=udp src-address=ВНЕШНИЙ_АЙПИ
add action=drop chain=input disabled=yes dst-address=ВНЕШНИЙ_АЙПИ dst-port=9999 protocol=tcp
add action=drop chain=input comment="28-04-2016 " disabled=yes dst-address=ВНЕШНИЙ_АЙПИ dst-port=80 protocol=tcp
add action=drop chain=input comment="28-04-2016 " disabled=yes dst-address=ВНЕШНИЙ_АЙПИ dst-port=80 protocol=udp
add action=reject chain=forward comment="YOUTUBE BLOCK" disabled=yes dst-address-list=net1 protocol=tcp reject-with=tcp-reset
add action=reject chain=forward comment="FB BLOCK" disabled=yes dst-address-list=net2 protocol=tcp reject-with=tcp-reset
add action=drop chain=forward disabled=yes src-address=89.163.148.21
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=yes
add chain=input comment="Allow Established connections" connection-state=established disabled=yes
add chain=input comment="Allow UDP" disabled=yes protocol=udp
add chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=forward disabled=yes src-address=159.122.205.166
add action=drop chain=forward disabled=yes src-address=5.39.218.251
add action=drop chain=input disabled=yes in-interface=ether1-gateway src-address=62.210.24.177
add chain=forward in-interface=ether1-gateway src-address=62.210.24.177
add chain=forward in-interface=ether1-gateway src-address=212.83.142.196
add chain=input dst-port=53 in-interface=ether1-gateway protocol=udp
add chain=input comment="SNMP monitoring" disabled=yes dst-port=161 protocol=udp src-address=188.134.5.211
add action=drop chain=input disabled=yes dst-port=161 protocol=udp
add chain=input comment="default configuration" protocol=icmp
add chain=forward comment=SIP dst-port=5060 protocol=udp src-address=192.168.1.101
add chain=forward dst-port=10000-20000 protocol=udp src-address=192.168.1.101
add action=drop chain=forward disabled=yes dst-port=5060 protocol=udp src-address=192.168.1.164
add action=drop chain=output disabled=yes dst-address=80.75.132.66 dst-port=5060 protocol=udp src-address=!192.168.1.101
add chain=forward content=d1:ad2:id20: dst-port=1025-10000 in-interface=bridge-local packet-size=95-190 protocol=udp
add chain=forward content=d1:ad2:id20: dst-port=20000-65535 in-interface=bridge-local packet-size=95-190 protocol=udp
add chain=forward content="info_hash=" disabled=yes dst-port=2710,80 in-interface=ether2-master-local protocol=tcp
add chain=forward dst-port=5060,10000-20000 protocol=udp
add chain=forward dst-port=5060 protocol=tcp
add chain=input dst-port=32100 protocol=tcp
add chain=input in-interface=bridge-local
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=forward dst-address=192.168.1.101 dst-port=5060 in-interface=ether1-gateway protocol=udp src-address=194.226.0.248
add chain=forward dst-address=ВНЕШНИЙ_АЙПИ dst-port=5060 protocol=udp src-address=192.168.1.101 src-port=5060
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=yes
add chain=input comment="default configuration" disabled=yes in-interface=ether1-gateway
add action=drop chain=forward disabled=yes p2p=all-p2p
add chain=input disabled=yes dst-port=5060 protocol=udp
add action=drop chain=forward disabled=yes src-address=89.91.50.188
add action=drop chain=forward disabled=yes src-address=195.154.154.41
add chain=forward comment="Drop Invalid Connection" disabled=yes
add action=drop chain=input connection-state=invalid disabled=yes
add action=drop chain=forward connection-limit=40,32 disabled=yes dst-port=!80,443,8080,5060 protocol=tcp src-address-list=net tcp-flags=syn
add action=drop chain=forward connection-limit=40,32 disabled=yes protocol=udp src-address-list=net
/ip firewall nat
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp src-address=!192.168.1.129 src-address-list=!2 to-ports=9999
add action=redirect chain=dstnat disabled=yes dst-port=443 protocol=tcp to-ports=9999
add action=dst-nat chain=dstnat comment=C1 dst-address=ВНЕШНИЙ_АЙПИ dst-port=34567 protocol=tcp to-addresses=192.168.1.56 to-ports=34567
add action=dst-nat chain=dstnat comment=C1 dst-address=ВНЕШНИЙ_АЙПИ dst-port=38888 protocol=tcp to-addresses=192.168.1.187 to-ports=34566
add action=dst-nat chain=dstnat comment=C1 dst-address=ВНЕШНИЙ_АЙПИ dst-port=38889 protocol=tcp to-addresses=192.168.1.108 to-ports=19036
add action=dst-nat chain=dstnat comment=158 dst-address=ВНЕШНИЙ_АЙПИ dst-port=55555 protocol=tcp to-addresses=192.168.1.158 to-ports=22
add action=dst-nat chain=dstnat comment="\EE\F4\E8\F1 \D1\CF\E1" dst-address=ВНЕШНИЙ_АЙПИ dst-port=34562 protocol=tcp to-addresses=192.168.1.187 to-ports=34566
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=34570 protocol=tcp to-addresses=192.168.1.155 to-ports=8914
add action=dst-nat chain=dstnat comment="RTSP C1" dst-address=ВНЕШНИЙ_АЙПИ dst-port=34888 protocol=tcp to-addresses=192.168.1.155 to-ports=8888
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=34569 protocol=tcp to-addresses=192.168.1.108 to-ports=34567
add action=dst-nat chain=dstnat comment=222 dst-address=ВНЕШНИЙ_АЙПИ dst-port=34568 protocol=tcp to-addresses=192.168.1.124 to-ports=34588
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=34599 protocol=tcp to-addresses=192.168.1.56 to-ports=34599
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=9833 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.139 to-ports=3389
add action=masquerade chain=srcnat comment="SIP conf" out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=32101 protocol=tcp to-addresses=192.168.1.101 to-ports=32100
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 in-interface=ether1-gateway protocol=udp src-address=83.136.247.26 to-addresses=192.168.1.101 to-ports=5060
add action=add-src-to-address-list chain=srcnat disabled=yes dst-address=83.136.247.26 dst-port=8080 out-interface=ether1-gateway protocol=tcp
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 in-interface=ether1-gateway protocol=udp src-address=80.75.132.66 to-addresses=192.168.1.101 to-ports=5060
add action=dst-nat chain=dstnat disabled=yes dst-port=5090 in-interface=ether1-gateway protocol=udp src-address=194.226.0.248 to-addresses=192.168.1.101 to-ports=5060
add action=dst-nat chain=dstnat disabled=yes dst-port=5090 in-interface=ether1-gateway protocol=udp src-address=89.179.119.28 to-addresses=192.168.1.101 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-20000 in-interface=ether1-gateway protocol=udp to-addresses=192.168.1.101 to-ports=10000-20000
add action=netmap chain=dstnat comment="Aleksandr poprosil" dst-port=554 protocol=tcp to-addresses=192.168.1.18 to-ports=554
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=5060 in-interface=ether1-gateway protocol=udp to-addresses=192.168.1.101 to-ports=5060
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=5060 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.101 to-ports=5060
add action=dst-nat chain=dstnat disabled=yes dst-address=ВНЕШНИЙ_АЙПИ dst-port=8888 protocol=tcp to-addresses=192.168.1.101 to-ports=80
add action=netmap chain=dstnat comment=1.20 dst-port=5554 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.155 to-ports=5554
add action=netmap chain=dstnat connection-limit=100,32 disabled=yes dst-address=ВНЕШНИЙ_АЙПИ dst-port=80 in-interface=ether1-gateway limit=1,5 protocol=tcp to-addresses=192.168.1.129 to-ports=80
add action=netmap chain=dstnat dst-port=6666 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.190 to-ports=6666
add action=netmap chain=dstnat dst-port=6000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.18 to-ports=6000
add action=dst-nat chain=dstnat dst-port=8814 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.190 to-ports=8814
add action=dst-nat chain=dstnat dst-port=8914 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.190 to-ports=8914
add action=src-nat chain=srcnat protocol=udp src-address=194.226.0.248 src-port=2929 to-addresses=188.143.208.23 to-ports=2929
add action=dst-nat chain=dstnat comment="Zabbix monitoring" disabled=yes dst-port=10050 protocol=tcp src-address=188.134.5.211 to-addresses=192.168.1.101 to-ports=10050
add action=dst-nat chain=dstnat comment="vpn server" disabled=yes dst-port=32102 protocol=tcp to-addresses=192.168.1.103 to-ports=32100
add action=dst-nat chain=dstnat disabled=yes dst-port=1194 protocol=udp to-addresses=192.168.1.103 to-ports=1194
add action=dst-nat chain=dstnat comment="temp rpd forward" disabled=yes dst-port=53389 protocol=tcp to-addresses=192.168.1.155 to-ports=3389
add action=netmap chain=dstnat comment=video disabled=yes dst-address=ВНЕШНИЙ_АЙПИ dst-port=493 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.108 to-ports=493
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=192.168.1.1 to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-port=5090 in-interface=ether1-gateway protocol=udp src-address=188.143.208.23 to-addresses=192.168.1.101 to-ports=10000-20000
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=493 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.108 to-ports=493
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=19036 protocol=tcp to-addresses=192.168.1.108 to-ports=19036
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=554 protocol=tcp to-addresses=192.168.1.56 to-ports=554
add action=dst-nat chain=dstnat disabled=yes dst-address=ВНЕШНИЙ_АЙПИ dst-port=5060 in-interface=ether1-gateway protocol=udp to-addresses=192.168.1.101 to-ports=5060
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=394 protocol=tcp to-addresses=192.168.1.56 to-ports=394
add action=dst-nat chain=dstnat dst-port=54545 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.101 to-ports=32100
add action=dst-nat chain=dstnat dst-port=45454 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.101 to-ports=80
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=30080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.139 to-ports=80
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=39500 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.139 to-ports=9500
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=39600 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.139 to-ports=9600
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=39700 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.139 to-ports=9700
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=39900 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.139 to-ports=9900
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=31433 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.139 to-ports=1433
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=34568 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.125 to-ports=34588
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=34566 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.187 to-ports=34566
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=53389 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.231 to-ports=3389
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=63389 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.232 to-ports=3389
add action=dst-nat chain=dstnat dst-address=ВНЕШНИЙ_АЙПИ dst-port=33116 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.116 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
[admin
@Mikro

[V A]

# jun/06/2016 13:24:30 by RouterOS 6.32.3
# software id = 9927-HJ54
#
/interface bridge
add admin-mac=4C:5E:0C:23:0F:1F arp=proxy-arp auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile1 supplicant-identity="" wpa-pre-shared-key=Linkin44 wpa2-pre-shared-key=Linkin44
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-b/g/n country=russia disabled=no frequency=2417 frequency-mode=superchannel hw-protection-mode=rts-cts mode=ap-bridge security-profile=profile1 ssid=MikroTik-230F23 \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1

[Mystray]

V A: Вроде бы и не видно ничего кратичного, первое правило должно отрабатывать.
Ловите через через фаервол или torch кто там из локалки ломится на днс.

[V A]

Mystray:
если так сделать?

/ip firewall filter
add action=add-src-to-address-list address-list="dns flood" \
address-list-timeout=1h chain=output dst-port=53 out-interface=ether1 \
protocol=udp
add action=drop chain=input dst-port=53 out-interface=ether1 protocol=udp \
src-address-list="dns flood"

[V A]

V A: а потом посмотреть адреслист

[V A]

сделал Torch

Src.=8.8.8.8
Dst=ВНЕШНИЙ АЙПИ
eth.protocol = 800(ip)

постоянно передает пакеты до 8 kbps, Tx/Rx Packet Rate: 4/4

Answer 2

[Александр Романов]

1. Закрывайте 53 порт tcp и udp на доступ с интерфейса провайдера (в input)
2. Обязательно укажите out-interface в правиле маскарадинга.
Расписывать не буду, ничего сложного тут нет