How To Detect BadHost or Spoofer or ARP program (Including NetCut) in Mikrotik
Attempt to detect and Block Bad Hosts
Network administrators are in a constant battle trying to keep attacks from virus infected computers, computers that have been taken over by malicious people and malicious people them selfs. It's a never ending barrage of attacks trying to exploit any flaw in your network possible. I keep a list of hosts/networks that I consider to be "bad-hosts", this is a manual built list and it works great but I don't always have time to sit and watch for candidates for this list, with small scripts as below :
1. add the rule in the new terminal
2. edit this rule by yourself
3. remove all IPs from address list
4. try to run Net Cut to find if the Microtik detected it or not
first,add this code in the new terminal
/ip firewall filter
add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list
add action=jump chain=forward comment="Check if dest is an open customer" disabled=no dst-address-list=open-customers jump-target=open-customers
add action=jump chain=forward comment="Check Known Bad Hosts" disabled=no jump-target=bad-hosts
add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list
add action=return chain=bad-host-detection comment="Take no action on bogons" disabled=no src-address-list=bogons
add action=add-src-to-address-list address-list=30-seond-list address-list-timeout=30s chain=bad-host-detection comment="Add to the 30 second list" disabled=no
add action=add-src-to-address-list address-list=24-hour-list address-list-timeout="1d 00:00:00" chain=bad-host-detection comment="If seen 20 time in 30 seconds add to the one day block list" disabled=no nth=50 src-address-list=30-seond-list
add action=return chain=bad-host-detection comment="" disabled=no
add action=jump chain=forward comment="jump to the bad-host-detection chain" disabled=no jump-target=bad-host-detection src-address-list=!our-networks
add action=jump chain=forward comment="jump to the bad-host-detection chain" disabled=no jump-target=bad-host-detection src-address-list=!our-networks
add action=log chain=forward comment="log and reject the rest" disabled=no log-prefix=""
add action=reject chain=forward comment="" disabled=no reject-with=icmp-network-unreachable
2. Follow the next pic to edit this rule
But change 192.168.0.0/24 to your network IP
3. Remove all IPs from the network like this pic
4. Try to run Net Cut
After 10 seconds you will see the IP in the "30 seconds list"
After 10 seconds you will see the IP in the "24 list"
As you see the Microtik catch the IP he run net cut
Notes : if you not using mangle you can remove "Nth options" from script.
Its worked properly in my network
Source :
1. http://forum.mikrotik.com/viewtopic.php?f=2&t=31384
2. http://wiki.mikrotik.com/wiki/Bad-host-detection
Keyword : Spoof, badhost, deteksi badhost, netcut, mikrotik
Cari Artikel Terkait :