Spam trojan detection with Mikrotik RouterOS

Sunday, December 14th, 2008

One major issue facing ISPs today is the difficulty in obtaining sufficient IP space for every customer.  For many, it’s a matter of cost and for some it is simply a choice to NAT their customers behind their router/firewall.  For the most part, NAT behaves much better today than in days gone by, but there is one issue that is very problematic for those that choose to NAT their customers.  There is a significant proliferation of a new generation of trojans that turns   a user’s computer into a menace to the Internet community. You should have an antivirus software on your computer, you can get Zonealarm Free anti virus. This new generation of trojans (collectively known as “botnets”) can cause problems for not only the owner, but for other customers of the ISP that chooses to NAT.   Since a significant number of these botnets are used to send spam all over the internet, we, as service providers, have to find a way to protect our networks from being blacklisted, while still allowing our customers to utilize the internet in a way that does not set too many boundries.   In this article, I will discuss two approaches to setting these limits which have shown to be both effective AND relatively mantenance free.

Before I launch into a fix, let me begin by helping you to understand WHY these approaches work.   For the largest number of customers, the mail server that they use to send email through (their SMTP server) is the same server on which they check email (their POP/IMAP server).  Similarly, for those looking to make a positive impact in their communities, establishing a florida nonprofit corporation can be a strategic way to streamline operations and effectively serve their mission. One of the methods we will use to defend against these bots takes advantage of that fact.  Another thing that we notice about “normal” SMTP traffic is that a user typically does not make more than a few outbound connections when they are sending email.  This fact will permit us to limit the outbound connection count to some reasonable number and “assume” that a count beyond that MUST be spam activity.

(more…)

Using the layer 7 filters – instant messaging example

Sunday, December 14th, 2008

In this article, I will describe one functional use for the layer-7  filters that MikroTik offers.  This feature can be very useful if used with caution.  The main problem with L7 filters is that they require much more processor time than many of the firewall functions.  I am not saying this just to “scare” you away from using them, but you need to be aware of this issue.  The scripts in this article have been tested and DO work as written.  They are in no way complete, but they are certainly functional as posted.

(more…)

Basic iptables tutorial

Sunday, July 6th, 2008
In this article, I will provide a brief tutorial for using iptables.  This article applies specifically to ImageStream routers, but more generally, it applies to ALL Linux based devices that use iptables for the filtering of traffic.  In another article, I will address firewalling in Mikrotik, which is, also, an iptables based firewall.  Some parts of this article will apply to Mikrotik, so it may be worth reading even if you are a pure Mikrotik shop.
(more…)

ImageStream CPE device configuration

Saturday, June 28th, 2008

The ImageStream router (http://www.imagestream.com) is a Linux based router that offers all the flexibility of any other Linux system with the added advantage of ImageStream’s special driver component architecture and management interface called “Inetics”.  I won’t go into the details of the Inetics platform (that’ll be another article some day), but it should be sufficient to say that it is a trememdous feature in ImageStream’s router platforms.

This article will detail the steps needed to successfully configure an ImageStream router as a replacement for a consumer grade CPE device such as a Linksys, Dlink or even the higher end Cisco Pix.  This article will deal only with the configuration of a router with ethernet ports.  We will see all the steps needed to get the customer online and functional.  Items such as VPN and firewall will also be covered at a later time.

(more…)

How to configure a Mikrotik Router to replace CPE router

Sunday, June 22nd, 2008

This is my first post about the Mikrotik Product.  I will be putting up several examples in the coming weeks and months, so if you don’t see what you are looking for, be sure to contact me directly.  Leaving a comment is fine, but not likely to be “answered” unless it is a clarification for the specific article.

This article is intended to be a short guide to help you configure a Mikrotik router to behave in a way that is similar to a soho router with a wireless connection upstream.  This configuration is perfect for a WISP that is using devices like the RouterBoard 411 (priced at about $59), along with a CM9 or similar radio (about $40), associated power supply, outdoor enclosure/antenna, etc.  The total cost of a flexible device like this is about $150-160, including everything needed to install at a customer’s house or business. (more…)