How to get protected from common threats with MikroTik RouterOS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

for the community that is following the event on YouTube I'm going to talk about network security using micro tech devices my name is Wilmer Alma son and a computer system engineer software developer I am my Rohtak certified trainer I have several meiotic certifications and also from other organisms I work at Wynette we offer training in Canada and Latin America we have offered trainings in different cities in Canada also Mexico Central and South America and today I want to share something about network security according to different stories five minutes is the average time that takes for a device we attack we plug it in internet so we have to be aware about that and sometimes we used to start working yours will focus on routing and different things about security about the network but we forget everything about security because we put these in the last step of the process but we think that security should come from the beginning we have to plan everything we have to have all the policy defined and fortunately we have a good friend there is the dropped OS has a very powerful firewall or usually we are in a new enterprise level we will need to have different systems working but one of the system that can help in the layer 3 & 4 and now so on applications in layer 7 is dr. OS but first of all we need to be aware about where are we talking with we say network security so we talk about network security basically we are talking about three things we have triopia tips one is the confidentiality second one integrity and finally availabilities is known as the triad of security CI a when we say confidentiality we are getting we wanted accounting our data is get by the it's worn by the person that we send this data is not repeal to anyone else with the integrity we are talking about the content that is intact which have not been modified and the last one availability the resources should be available for the user whenever they need it so what can what can we do to get these three elements okay first we need to know them we need to know all the threads the possible attacks that we can find on anur Network daily activities so basically we have two type of attack or threads we have one of those Rd active the or grantee passive when we say active we are talking about interruption modification fabrication and with passive videos interception so the first doing interruption basically message is sent from source and sending any content to destination and probably in that path someone is taking this information is blocking this communication so this is known as interruption the second one is interception in this case this is the passive one so I send a message to a destination but someone that passes taking these messages is not doing anything about the content but is listening so that is why this is a passive attack the third one is about modification right send the message someone takes the message going to alter the wantin you're changing some beats they can do this and then this message is sent to the destination so in this case this is called modification and the last one that is fabrication basically someone not allowed on an out rise in the network is creating messages and sending to the destination so those are the types of threats when we say threats we are talking about that weakness that is in the network probably is not being exploited yet but it can cause an incident so you have to be aware and take some actions to prevent that so there are different types of threats that we can find in all the layers in the OSI model you can see if we start from the physical up to the application layer we have different threats that we had to be aware of them but we will focus the presentation about threads in the layered 3d never layer and the layer of layer 4 transport layer using mikrotik router us so after these layers we can go with system information and event management another type of system to manage all the information that you can get from the lower layers this guy we are going to focus in on specific devices in layer 3 and 4 if the first thread is the DDoS this is a distributed denial-of-service this is an attack that it can be created by a single machine or maybe several hundreds or thousands machines in different places of the world we called the OS when we chose a matching creating the attack or de Vos when there are several okay how can we know if we are being target of this deliberate denial of service attack there are different symptoms that we can analyze in the network for example are there too many connections with the sin sin state we can find this if we want to the IP firewall connection print this is with the command line interface the CLI or we can go with the menu the green box we can see a table with all the connections so we can have a real information about the connection so we can determine if there are too many connections if we see a lot of connections there that means that probably we are being victim of the u.s. attack a second symptom for example we are we can see a lot of packets going through a particular interface so we can go with the interface monitor traffic and we select the interface also using the CLI but easily we can go to interfaces and double click over the interface that we want to check our known statistics we can find the number of packets that are going through that interface a particular time in that case we can know is important for all the network administrator to create a baseline so the first step when we are starting a network we have to create a baseline of the traffic and have patterns about the behavior of the traffic during different times so this we compare this number against this beylin we can know if something bad is happening the 13 that we can see the CPU usage so for example if 100 percent of usage that means that something bad is happening because if normal times we are by 10 20 percent and suddenly we get 100 percent something happening so we have to go to system resources monitoring we can check how is the CPU usage also in the profile tool tools profile we can see the use of the CPU in different categories that drug dose is showing there also we can go with the tool torch in the case we can analyze the connections we can go it for example to see all the connection from a particular interface on particular source IP address to a particular destination address from a specific protocol so it's a very harmful tool to check all the connections that we are getting we can see even for example a particular connection from a specific IP address how the the transmission traded rate the reception rate so we can analyze all this information now the DDoS attacks are one of the most powerful attacks because we don't have control about the machines that are creating this attack so we can just mitigate because we cannot take control over the boots that are in the bonnet of the attacker so we can take some actions to mitigate the effect one of those is to limit the number of connections so for example we can this is a constant an integer here we can go to the filter firewall Nocera chain protecting the router in this case for example the protocol TCP we can set number according to the baseline that we have created for a particular IP address the story 2 means these ned much this cake we're telling that this is a unicast address we can add for example these address that is creating this traffic we can add it to another list and that take up particular action with these address there are many actions that we can take after that we the first step is to have all these addresses in a list and then we can go with the actions like dropped reactor any action that we want the TTP Singh attack is on it's a type of de Vos attack basically here the attacker is taking advantage of the three three-way handshake that the TCP connection have by default so basically they are sending a lot of requests to the server or the router with seen packets to start the TCP connections the routers replies but obviously the attacker is never going to send the knowledge means to the router so basically they just want to flow the router and get get it in a denial-of-service state so for example in this case we have a the attacker that has in any way it has taken control of all these matchings these machines can be in different places in the world maybe with Troy on horses or any other malicious software they have been taking control of these matchings so I can launch an attack in a particular time to a specific head host so in this case all the machine and sending traffic a lot of scene packets in requests to these device so this device is not capable of managing all these requests and II see CPU is going to 100% basically with there are three general actions that we can take to mitigate one Israel limiting each new TCP connection also we can modify the timers if we were to IP firewall connection tracking there is a settings bar under where we can play with the timer's of the different states in the TCP connections and also we can enable the sync cookies this is on IP settings there is an option or TCP cookies that we can use enable and it automatically is going to run the algorithm about the sync cookies to mitigate also the sync attacked this is an example of rules that you can create this presentation will be available in the website of Mirotic so you can after you want to review this command you can download the presentation but basically we can create different rules to limit the connections also this is the menu where we can enable the TCP syn cookies as useful routers everything is very simple so we had to enable this option and with this we are getting a good protection about the TCP syn attacks also there is another is structure that last years have been added to route rows this is the road table so instead of specifying rules on filter in fire we can do it on the road table this is also an IP firewall under the tab row so basically these structure is analyzed before the connection tracking so in this case we can be more effective about the mitigation of the in-floor attack so for example here we can either rule about the flags the TCP flags for the protocol TCP obviously we need some rules to also allowed these the valid connections and your target D do you want to avoid the attack so this is your single rule but I will you will have more rules to allow the valley's traffic another common attacker usually in places where hotspots are running the DHCP sturbation doing this guy the target that the DHCP servers the objective is to take all the IP addresses so when valid client is getting connected to a network there is no there are not IP address available so it can go get connection so anyone in a hospital is public and go and set up fake the acp server and then take all the available IP address in the pool that we have defined so one thing that we can use to prevent these is with poor security for example we have a switch we can specify and allow for example just one MAC address per port or we can set a list of allowed MAC addresses so basically with poor security we can manage these but this is just available on the CRS 3c switches so we cannot do this in our regular router board using the cloud routers switches so for example here we create our rule to allow yourself and specific MAC address and then we here is your the bridge creation and basically we have to say no to the unique float from no now addresses and finally we need to add the static entry for all the traffic that is going out from the bridge with the same McCulloh that we have allowed so in this case we can use the port security using the cloud router switch only also you have the the ACP role in this case is a fake DHCP server we don't have control over this server so for example here we have router is a simple wireless topology so we have DHCP server and this is offering IP addresses to all this client but someone can get connection to this hotspot because it's pulling with they don't have any passphrase to get connection so these server can also send all the IP addressing information to these clients and then you can make any type of attack light demand on the middle of another type of attacks to take information of this client that we have there so we have to enable the the ACPs doping this is available things after all 6.43 basically the idea here is to specify in the switches which are the trusted ports so for example if we are installing a switching we are connecting the acp server on port 1 for example that will be a trusted port so all the rest of the pork where the clients are going to be connected that will be untrusted so for example in this case this rogue DHCP server is getting connections by nature 3 but because we are specifying these as an untrusted port all the packages coming for the both trouble the DHCP server DHCP protocol are going to be discarding this switch or router now saying here for example we have the connection from switch to to switch one this will be the trusted connection but we have the untrusted code we'll have control about all the clients that are in the right side so basically all these packets for offer and discover being discard in this switch to the traditional configuration that we make to create this bridge basically you have to add the trusted feature on the interface this is under interface Bridge port so you have to enable this option and finally on the master bridge and the bridge interface we have to enable DHCP snooping so this is the configuration for example in this switch and this would be for switch to you can see here we have the port to port 1 these are being flagged as trusted and the ether 3 doesn't have the trusted that means no or still untrusted so these several won't be allowed to send this offers to our clients another type of denial of service attack is the UDP float in this case the previous one was the TCP syn so they were taking advantage of the three-way handshake but in this case with UDP we don't have that negotiation so the attacker is sending a lot of UDP packets to the target basically this also can be amplified so for example if it's a DNS attack to brokered broadcast address it can be amplified by the bandwidth they are using for example if the attacker is using ten megabits and we are using a broadcast address of a network with slash twenty four that means that we will have ten times 254 megabits so it will be a very huge bandwidth and will be almost impossible for the device to manage all that information and will be less than three seconds in labs that I have done with the CPU and 100% and then rebooting and obviously they are getting the object that is denying the access for the users the first thing that we can do is disable the dns forwarded sometime we will install the routers on the right P DNS there is an option allowed remote request this becomes the router in a DNS server but if we are not going to use these devices a DNS server we can just disable this option in this case the router is not going to reply DNS requests also we can limit the UDP connections and blocked for example all the UDP traffic coming from the internet so we can take any of those three action will hold the three actions so this is the window that we can find under IP DNS so here we have the allowed remark with we enable this option we are saying okay this is a DNS server but if we are not going to use the device as with that functionality we can just disable and doing a lot of part of the mitigation process with that the next step it can be on the road table you can seem fireball we have the wrong table we can specify a list of all the one interfaces and then we can just add a rule and make a drop for all the traffic that is coming to the DNS ports by these interfaces in that case we are protecting the device from all the traffic that is coming from Internet remember that this is your form mitigation that don't means that the attacker is going to shoot down the bullet they are going to continue sending the attack but we are going to have very good results with this we can also have this rule on filter rules but in that case this process would be after the connection tracking and the performance will be bad still so we will have a better result we use this rock section so for example there is in the roam routing where do specifying the protocol UDP port 53 the interface in this case the eater wander is the internet interface and then we also specify a section as a drop another type of attacking the brute force attack in this case the attacker is trying to get access to the device so basically if they get access to a router they can do anything there so we have to protect sometimes would approach is to establish a VPN and you was allowed the access to the device under the when the traffic is coming from the address that we have specified on the VPN also we can limit the number of attempts also we have we can modify the default ports remember that on their IP services there are all the available services on the router we can change that values things these go be a public device management for network administration we can have customized ports there because they will be with all information one more just administrator of the device can handle that information another we can limit login for specific IP address or a range also in IP services we can specify an address or range just in the router will allow connection geo from this IPS that we have said there obviously we have to use complex passwords strange that during this year according to several story most about 60% of the password is one two three four five six and possible so even in enterprise levels because we have put the device there and forget about security thinking that the attacks are for all our people no for us one technique that we can use is for knocking this is metal that will enable access to the router after receiving a sequence of connection attempts to unspecific port we can specify a list of ports we want to access the router we have to try to connect using this port finally we are going to be allowed basically the logic is that we have to make for example here three attempts and finally if we follow the correct sequence we are going to get access to this router example here first we have a rule where we are going with the port 8000 with protocol TCP so we have to try to make a connection in this port then the address the source address or the address that we are using to add connection is going to be added to a lease in this case stage 1 then we are going to try to get connection to report 7000 and the router is going to verify if the address is already in stage 1 if these conditions are met then the IP is said to be a stage 2 ad released then we are going to make a final attempt connecting to the 6000 and also is going to verify in this case here it will be 2 and then this would be added one allowed list and finally we will get access to the device and after that obviously you have to have the drop flow for everything because if we do all these but we forget what the drop at the end we are not doing anything if our going just equality so we have to use this rule l at the end of all or allow it rules also here we have we can play with the timeout for example here we are setting one minute so the first attempt the source address is going to be in the live for 1 minute so we have one minute to get to make the second attempt but we can go with a very low number there for example 2 seconds 3 seconds but in this case it would be difficult to type for us that numbers faster so we can use a a nap for example there are a lot of apps for port knocking so we can have that up all the lists of predefined ports and we just make the attempts and we can limit this time with a very low number okay basically that is about the vos attacks using Miro tear out row we have a very powerful tool I don't know if you have any question about okay the main difference is that the rod table comes before the decoding the connection tracking so for example in the mikrotik website you can find the flow control of the packets going through all the device but the rod table is coming just before the connection tracking so that makes more efficient to deal with denial of service attacks but obviously if the packet having gone through the connection tracking we cannot go it for example connection states with a lot of feature that comes after the connection tracking so we have less options to to set the requirements in the inter rule because it's coming before the connection tracking we cannot filter the packets using any of the connection tracking features in the raw sections okay for example in my case I made have done different labs that you can find on my youtube channel for example with these specific case the TCP sing attack and UDP I made love we using Kali Linux with a gigabit connection to the our with an RB 411 when I send the attack without any protection it takes like one or two seconds to get the 100% of the use of CPU if I made the rules that I showed you in the filter section I got like 43 percent CPU usage and if you were with the raw section is like 10 percent so the connection is are going are getting there because we are not stopping the attack so we want to live to the filter rule we are going to see the counter of packet is going G awaits in minutes but the use of CPU is like 10 12 % exactly that would point now the Anessa views is also TCP there are a lot of websites and services running on the TCP so we can we have to add a second rule for TCP that's a good point exactly there are for example the ICMP attacks that have a very big amplification effect we didn't cover that in this presentation today but also we can make some mitigations of actions with dr. oz all this information and with DEP is covering the network security course from micro tech the MTC is II there are a two day training course with very deep information about different threats attacks and ways to mitigate yes the presentation all the presentation in the monks are available on mom that Mirotic calm so that you can find all the presentation during the last ten years I think and you can find all the files the videos if you google it you will find hundreds all of them works in the same way actually is very simple approach just an attempt for connection yes exactly that's a good point because if we have add mink we are giving 50% of the information to attacker so we change the username but also you have to bow and drop the roads we can not modify the admin after we add a new user so we have to add a new user and then remove the admin because you will add the new one and forget the aming if it happens sometimes exactly yeah you see if because in less than five minutes you're going to be attacked for someone okay actually we have for example the profile where we can have categories about the use of CPU and also if you you can use the torch to see all the connections personally I haven't by myself I had develop any software to analyze that but my roti have the application programming interface available so we can go with develop something and get very customized information for example the Wireshark is a tool that you can analyze but maybe you want something like a dashboard we show in all the that case there song in the market but maybe you'll have to customize some things there okay when we are using the pass the fast-track usually we are going to do this with you we are going to filter the new connections and then we can fast-track the related connections all the travelers comings with established connections in that case the firewall filters queues are not going to be this packet is not going to walk through all these instances so usually usually we go for simple solutions logging the IPS and banning them under wood situations or what kind of attacks do you tar pit the incoming the incoming connection okay there are hundreds of different attacks even each protocol we can have a lot of threads but in this specific case we are covering the ones that we have just seen and in this case we are using the drop action in some cases we can call it RP to keep the connection alive and just don't allowed maybe after we can limit the number of connection and get some kind of better performance of the device but personally I for this type of attacks I prefer the row and drop with for the UDP that usually are the most the ties that have more effect on the devices if you're using the raw table to filter out what you don't want to come into the table then or into the firewall then you won't be able to separate you you wouldn't be able to make a list of addresses to block is that correct I didn't get your question if you use the raw table to filter out certain protocols or data then you wouldn't be able to add any of those addresses that are incoming trying to establish the connection into a less because it never makes it okay actually the Road table is under the firewall but this is analyzed before before the connection tracking we can now filter using specific features of the TCP States for example because this is coming before the connection tracking but we can use it very useful for example for the UDP flow because we are dropping a specific traffic and we are not allowing that this traffic gets in the connection tracking so after that we can manage all the rest of connection in filter so these raw is kind of a compliment for filtered just for a specific traffic that we want to target but this doesn't mean that we're just going to use this raw section it just like a compliment for a specific traffic

Info

Channel: MikroTik

Views: 18,630

Rating: undefined out of 5

Keywords: mikrotik, routerboard, routeros, latvia

Id: FsCN6a65otM

Channel Id: undefined

Length: 43min 50sec (2630 seconds)

Published: Mon Sep 30 2019