Payload Logo
cybersecurity

Network defence using RouterOS (Part 1)

Author

Hilton D

Date Published

routeros_network_defence

When looking for threats sometimes you know exactly what you’re looking for. Sometimes — actually often — you only have a general direction in which you wish to conduct your hunt.

RouterOS has an operator for a fuzzy search ~ and an operator for an exact match = . This is extremely useful for those situations in which you only have a single clue to go on!

If you’re anything like me, once you have a single “high signal” indicator, this then is all the motivation you need to continue the search no matter how arduous.

The RouterOs connection tracking module is very helpful for getting an idea of what is happening right now on your network — when combined with `~`


1/ip/firewall/connection/ print interval=3s where src-address ~ "10.0.0"

Here is a snapshot of what information this gives us to work with


routeros_connection_tracking

We can also filter the information by the reply rate to limit the output to connections that are sending more than 10kbps


1/ip/firewall/connection/ print interval=3s where src-address ~ "10.0.0.113" \ 
2and ( repl-rate > 10000 or orig-rate > 10000)


In addition to using the connection table, the kid-control table can quickly tell you how much bandwidth or traffic a IP / MAC / hostname is sending


1/ip/kid-control/device> print interval=1 where name ~ "apt29sandbox"
2

3#   NAME               MAC-ADDRESS        IDLE-TIME  RATE-DOWN  RATE-UP
429 D apt29sandbox  70:3C:4E:01:B1:39  1s         6.3Mbps    98.2kbps


So this post is about defending a network — lets assume that we’ve identified a malicious IP address that we want to block.

This is my preferred way to block traffic as it is efficient and the list of IPs you want to block can be easily managed, even using an api or Ansible if you’re organised.

Here are the steps :

1. Create an firewall address list, for example blockList

2. Add a block rule at the top with the src-address-list and dst-address-listset to blockList . You can also add logging by adding log=yes

It is a good idea to practice this process and test it regularly — that way when it comes down to a real incident you will have the processes in place already and the “muscle memory” in place to respond rapidly!

In part two, we will route our routeros logs to an open source data pipeline tool, Tenzir which will enable more advanced security use cases!