Beruflich Dokumente
Kultur Dokumente
.i c
Securing and testing with Mikrotik
o b
o
José Manuel Román
ah 1
About me
o m
•
•
16 years’ I.T. experience
7 years teaching networking
.i c
b
• 6 years security analyst
•
o
CEO at Cloud Networking Spain (Wisp Provider)
• Network architect at Ipink.
o
• Bachelor of Computer Science.
• Master ITIL.
h
• Security Certifications: Cisa and Cispp
• Mikrotik Certifications: MTCINE, MTCNA, MTCRE, MTCTCE, MTCWE,MTCUME
a
• Mikrotik Certified Trainer
• Security consultant
2
o m
c
Objective
b .i
The objective of this presentation is to show the Mikrotik tools that help to
test and audit firewall and Qos policies.
oo
ah 3
o m
c
Schedule
b
Duration: 30 minutes
.i
•
oo
Introduction: 5 minutes
•
ah
Scenario 1 Testing Synflood rules: 15 minutes
4
o m
c
Problem
b .i
o
What to do when I need to test or audit if a router was enforcing QoS
o
marking policies on incoming frames or was embracing complex security
policies?
ah
What to do when I need to teach QoS and complex firewall rules?
5
o m
.i c Firewall rules
from Grew
b
Sowel blog
oo
ah 6
o m
c
Symptoms
b .i
o
We have a complex configuration and we have no idea how to test it.
h o
Students or clients asking us to demonstrate that setting works.
a 7
o m
c
Solution
b .i
We need tools to test and teach
oo
ah 8
o m
c
Tools
b .i
There are a number of tools commonly used for testing or teaching
networking that are present in mikrotik:
o
• Ping, Traceroute
o
• Real-time traffic monitoring and sniffer
•
h
Traffic generator
a 9
o m
c
External tools
b .i
Similar to others that are not present in mikrotik:
• Nmap and nping
o
• Hping3
o
• Scapy
• Wireshark
ah 10
o m
c
First scenario
b .i
In this scenario we will test three sets of firewall rules to limit a synflood attack.
oo
ah 11
o m
c
Scenario 1
b .i
oo
ah 12
o m
c
TCP handshake
b .i
Normally when a client attempts to start a TCP connection to a server, the
client and server exchange a series of messages which normally runs like this:
oo
Client requests a connection by sending a SYN (synchronize) message to
h
the server.
a
• The server acknowledges this request by sending SYN-ACK back to the
client.
• The client responds with an ACK, and the connection is established.
13
o m
c
TCP flags in Mikrotik firewall
.i
Where can I find the tcp flags in Mikrotik router?
o b
h o
a 14
o m
c
Attack(syn flood)
.i
SYN flood is a form of denial-of-service attack in which an attacker
b
sends a succession of SYN requests to a target's system in an
attempt to consume enough server resources to make the system
o
unresponsive to legitimate traffic.
h o
a 15
o m
c
First scenario
b
Testing synflood rules
• Rules configuration.
.i
o
• Preparing the traffic generator to generate traffic with certain
o
characteristics.
• Testing the rules with the previous traffic.
ah 16
o m
c
First rule (Policy 1)
b .i
o
We configure a rule to try to stop or mitigate the attack:
h o
/ip firewall filter add chain=input comment="synflood policy1“
a
connection-limit=20,32 disabled=no protocol=tcp action=drop
17
o m
.i c
o b
h o
a 18
o m
.i c
o b
h o
a 19
o m
c
Survey online
b
Does policy 1 work?
.i
/ip firewall filter add chain=input comment="synflood policy1“ connection-
o
limit=20,32 disabled=no protocol=tcp action=drop
h o
No, this rule doesn't drop packets
a
• The rule works but doesn't limit the attack
• Yes, it limits the sinflood attack.
http://freeonlinesurveys.com/s/JZxVzhiO
20
o m
c
First scenario
b
Testing synflood rules
• Rules configuration.
.i
o
• Preparing the traffic generator to generate traffic with certain
o
characteristics.
• Testing the rules with the previous traffic.
ah 21
o m
c
Tool to test the policy
b .i
Traffic Generator is a tool that allows to evaluate performance of
DUT (Device Under Test) or SUT (System Under Test).
o
• Tool can generate and send RAW packets over specific ports. It
o
also collects latency and jitter values, tx/rx rates, counts lost
h
packets and detects Out-of-Order (OOO) packets.
a http://freeonlinesurveys.com/s/JZxVzhiO
22
o m
c
Crafting with traffic generator
b .i
oo
ah 23
o m
c
Testing workflow
b .i
o
Port Template Stream
h o
a 24
o m
c
Scenario 1
b .i
oo
ah 25
o m
c
First scenario
b
Testing ynflood rules
• Rules configuration.
.i
o
• Preparing the traffic generator to generate traffic with certain
o
characteristics.
• Testing the rules with the previous traffic.
ah 26
o m
c
Traffic Generator (Port)
b .i
oo
ah 27
o m
c
Traffic Generator (Port)
b .i
oo
ah 28
o m
c
Traffic Generator (Packet Template)
b .i
oo
ah 29
o m
c
Traffic Generator (Packet Template)
b .i
oo
ah 30
o m
c
Traffic Generator(Packet Template)
b .i
oo
ah 31
o m
c
Traffic Generator(Packet Template)
b .i
oo
ah 32
o m
c
Traffic Generator(Packet Template)
b .i
oo
ah 33
o m
c
Traffic Generator(Packet Template)
b .i
oo
ah 34
o m
c
Traffic Generator(Packet Template)
b .i
oo
ah 35
o m
c
Traffic Generator(Stream)
b .i
oo
ah 36
o m
c
First scenario
b
Testing ynflood rules
• Rules configuration.
.i
o
• Preparing the traffic generator to generate traffic with certain
o
characteristics.
• Testing the rules with the previous traffic.
ah 37
o m
c
Traffic Generator(Quick start)
b .i
oo
ah 38
o m
c
Border Router Counters (policy 1)
b .i
oo
ah 39
o m
c
Survey online
b
Does policy 1 work?
.i
/ip firewall filter add chain=input comment="synflood policy1“ connection-
o
limit=20,32 disabled=no protocol=tcp tcp-flags=syn action=drop
o
• No, this rule doesn't drop packets
• The rule works but doesn't limit the attack
h
• Yes, it limits the sinflood attack.
a 40
o m
c
Policy 1
b .i
oo No, this rule doesn't drop packets
h
Because the attacker never established connections and there is a
a
connection limit that doesn’t apply
41
o m
c
Policy 2
b .i
o
/ip firewall filter add chain=input limit=20,1 protocol=tcp tcp-flags=syn
h o
a
http://freeonlinesurveys.com/s/JZxVzhiO
42
o m
.i c
o b
h o
a 43
o m
.i c
o b
h o
a 44
o m
c
Survey online
b
Does policy 2 work?
.i
/ip firewall filter add chain=input limit=20,1 protocol=tcp tcp-flags=syn
o
action=drop
o
• No, this rule doesn't drop packets
• The rule works but doesn't limit the attack
h
• Yes, it limits the sinflood attack.
a http://freeonlinesurveys.com/s/JZxVzhiO
45
o m
c
Why the counters are incremented 40 every 2 seconds?
b .i
oo
ah 46
o m
c
Survey online
b
Does policy 2 work?
.i
oo The rule works but doesn't limit the attack
In this case only drops 20 packets every second
ah http://freeonlinesurveys.com/s/JZxVzhiO
47
o m
c
Policy 3
b .i
add action=jump chain=input comment="Policy 3" jump-target=syn-flood protocol=tcp tcp-flags=syn
o
add chain=syn-flood limit=100,5
add action=drop chain=syn-flood
h o
a
http://freeonlinesurveys.com/s/JZxVzhiO
48
o m
c
Survey online
.i
Does policy 3 work?
b
/ip firewall filter
o
add action=jump chain=input comment="Policy 3" jump-target=syn-flood protocol=tcp tcp-flags=syn
add chain=syn-flood limit=100,5
o
add action=drop chain=syn-flood
h
• No, this rule doesn't drop packets
a
• The rule works but doesn't limit the attack
• Yes, it limits the synflood attack.
http://freeonlinesurveys.com/s/JZxVzhiO
49
o m
c
Policy 3 (First rule)
b .i
add action=jump chain=input comment="Policy 3" jump-target=syn-flood protocol=tcp tcp-flags=syn
oo
h
http://freeonlinesurveys.com/s/JZxVzhiO
a 50
o m
.i c
o b
h o
a 51
o m
.i c
o b
h o
a 52
o m
c
Policy 3 (Second rule)
b
add chain=syn-flood limit=100,5
.i
oo
ah http://freeonlinesurveys.com/s/JZxVzhiO
53
o m
.i c
o b
h o
a 54
o m
.i c
o b
h o
a 55
o m
c
Policy 3 (Third rule)
b
add action=drop chain=syn-flood
.i
oo
ah http://freeonlinesurveys.com/s/JZxVzhiO
56
o m
.i c
o b
h o
a 57
o m
c
Survey online
.i
Does policy 3 work?
b
/ip firewall filter
o
add action=jump chain=input comment="Policy 3" jump-target=syn-flood protocol=tcp tcp-flags=syn
add chain=syn-flood limit=100,5
o
add action=drop chain=syn-flood
h
• No, this rule doesn't drop packets
a
• The rule works but doesn't limit the attack
• Yes, it limits the synflood attack.
http://freeonlinesurveys.com/s/JZxVzhiO
58
o m
c
Survey online
.i
Does policy 3 work?
b
/ip firewall filter
o
add action=jump chain=input comment="Policy 3" jump-target=syn-flood protocol=tcp tcp-flags=syn
add chain=syn-flood limit=100,5
o
add action=drop chain=syn-flood
h
Yes, it limits the synflood attack.
a http://freeonlinesurveys.com/s/JZxVzhiO
59
o m
c
Scenario 2 (Testing QoS)
b .i
In this laboratory we will test
o
packet marking configuration and queue tree
h o
a 60
o m
c
Scenario 2
b .i
oo
ah 61
o m
c
Router Configuration
b .i
[admin@VoIPPhoneSimulator] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
o
# ADDRESS NETWORK INTERFACE
o
0 10.1.1.1/24 10.1.1.0 ether1
ah 62
o m
c
Router Configuration
b
[admin@RouterLan] > ip address print
.i
Flags: X - disabled, I - invalid, D - dynamic
o
# ADDRESS NETWORK INTERFACE
o
0 192.168.100.1/24 192.168.100.0 ether1
ah 63
o m
c
Router Configuration
b
[admin@PbxSimulator] > ip address print
.i
Flags: X - disabled, I - invalid, D - dynamic
o
# ADDRESS NETWORK INTERFACE
o
0 192.168.8.2/24 192.168.8.0 ether1
ah 64
o m
c
Scenario 2
b .i
oo
ah 65
o m
c
Scenario 2
b .i
o
in this case we will try a queue tree configuration that prioritizes voice
o
traffic. QoS router has mangle rules and queue tree limitations.
ah 66
o m
c
Mangle rules
.i
[admin@Qos] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Normal traffic
b
chain=prerouting action=mark-packet new-packet-mark=Rest passthrough=yes src-address=192.168.100.1
dst-address=192.168.8.2 log=no log-prefix=""
o
1 ;;; RTP traffic
o
chain=prerouting action=mark-packet new-packet-mark=VoipPhones passthrough=no dscp=46 log=no
log-prefix=""
h
2 ;;; SIP traffic
chain=prerouting action=mark-packet new-packet-mark=VoipPhones passthrough=no dscp=26 log=no
a
log-prefix=""
67
o m
c
Dscp values Voip calls
b .i
SIP signaling messages will be marked by DSCP value of 26
oo
ah 68
o m
c
Dscp values Voip calls
b .i
RTP voice audio data will be marked by DSCP value of 46
oo
ah 69
o m
c
Mangle rules
.i
[admin@Qos] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
b
0 ;;; Normal traffic
chain=prerouting action=mark-packet new-packet-mark=Rest passthrough=yes src-address=192.168.100.1
o
dst-address=192.168.8.2 log=no log-prefix=""
o
chain=prerouting action=mark-packet new-packet-mark=VoipPhones passthrough=no dscp=46 log=no
log-prefix=""
h
2 ;;; SIP traffic
a
chain=prerouting action=mark-packet new-packet-mark=VoipPhones passthrough=no dscp=26 log=no
log-prefix=""
70
o m
c
Queue tree
.i
[admin@Qos] > queue tree print
Flags: X - disabled, I - invalid
b
0 name="Out to PBX" parent=ether1 packet-mark="" limit-at=0 queue=default priority=8 max-limit=0
burst-limit=0 burst-threshold=0 burst-time=0s
o
1 name="call out" parent=Out to PBX packet-mark=VoipPhones limit-at=100k queue=default
o
priority=1
max-limit=100k burst-limit=100k burst-threshold=100k burst-time=10s
ah
2 name="Traffic from Router Lan" parent=Out to PBX packet-mark=Rest limit-at=10M
queue=default priority=8
max-limit=10M burst-limit=10M burst-threshold=10M burst-time=10s
71
o m
c
Queue tree
b .i
oo
ah 72
o m
c
Testing workflow
b .i
o
Port Template Stream
h o
a 73
o m
c
Testing steps
b .i
We will prepare 3 different packets with Traffic Generator in
VoIPPhoneSimulator Router:
o
• Two packets will simulate VoIP traffic (Rtp and SIP)
o
• The other packet we’ll simulate traffic from RouterLan (with
h
spoofing)
• We create a stream with the three previous packets
a corresponding
74
o m
c
Dscp values Voip calls
b .i
SIP signaling messages will be marked by DSCP value of 26
o
A DSCP value of 26 results in a ToS byte value of 104 AF31=0x68
(=104)
h o
a 75
o m
c
Dscp values Voip calls
b .i
RTP voice audio data will be marked by DSCP value of 46
o
A DSCP value of 46 results in a ToS byte value of 184 EF=0xB8
h o
a 76
o m
c
Scenario 2
b .i
oo
ah 77
o m
c
Rtp packet
b .i
oo
ah 78
o m
c
Rtp packet
b .i
oo
ah 79
o m
c
Rtp packet
b .i
oo
ah 80
o m
c
Rtp packet
b .i
oo
ah 81
o m
c
Rtp packet
b .i
oo
ah 82
o m
c
SIP Packet
b .i
oo
ah 83
o m
c
Packet from RouterLan (Spoofing)
b .i
oo
ah 84
o m
c
Packet from RouterLan (Spoofing)
b .i
oo
ah 85
o m
c
Packets from RouterLan (Spoofing)
b .i
oo
ah 86
o m
c
Stream
b .i
oo
ah 87
o m
c
Stream
b .i
oo
ah 88
o m
c
Stream
b .i
oo
ah 89
o m
c
Stream
b .i
oo
ah 90
o m
c
Running the test
b .i
oo
ah 91
o m
c
Checking the results (Router QoS)
b .i
oo
ah 92
o m
c
Checking the results (Router QoS)
b .i
oo
ah 93
o m
c
Checking the results (Router QoS)
b .i
oo
ah 94
o m
.i c
b
Disclaimer
o
The information provided on this presentation are for educational purposes only. The
author is no way responsible for any misuse of the information.
h o
a 95
Thanks a lot o m
Hvala!i. c
o b
h o Contact: jose.roman@cloudnetworking.es
a
Thanks a lot to Fajar Nugroho
https://freeonlinesurveys.com/app#/795807/analyze/-1
96
o m
.i c
References
b
http://mum.mikrotik.com/presentations/HR13/legend.pdf
o
http://mum.mikrotik.com/presentations/HR13/maia.pdf
http://mum.mikrotik.com/presentations/HR13/kirnak.pdf
o
http://mum.mikrotik.com/presentations/BR11/1_Maia.pdf
http://mum.mikrotik.com/presentations/CY15/Denial_of_Service_Attack.pdf
h
https://tools.ietf.org/html/bcp38
a
http://www.mikrotikbrasil.com.br/artigos/Layer2_Security_Poland_2010_Maia.pdf
97