Skip to content
May 10 / Greg

Mikrotik Winbox DOS Exploit Protection

I was just alerted to a winbox exploit that is affecting all MTK versions(Thanks Mike). Here are a few tips to protect yourself.

Add firewall rules to allow access to winbox only from management network.

You really should have your router locked down so management can only come from certain subnets anyway.

1
2
3
4

/ip firewall filter
add action=drop chain=input comment=\
    "Block access to winbox from anyone not on coming from management." \
    disabled=no dst-port=8291 protocol=tcp src-address=!1.1.1.0/24

Add Portknock to access winbox

Portknock app and link here.

Allow access only via VPN

Link to my VPN videos here.

Change default winbox port

Go to IP Services and change the port from default. This isn’t a complete fix, but should help prevent port scanners from exploiting winbox.

IP Services

When you want to winbox just add a colon and the new port number.

Filed under Mikrotik

7 Comments

leave a comment
  1. O! / May 10 2012

    Do you know if ROS 5.16 released yesterday also is affected?

  2. Greg / May 10 2012

    @O
    From the description of the exploit I would say yes.

  3. iam8up / May 10 2012

    Just allow a certain number of new connections to 8291 per a /32

  4. Greg / May 11 2012

    @8up
    Great tip!

    I was thinking of adding that, but I wanted people to use something more proactive rather than reactive. Don’t even allow the opportunity for connection.

  5. Justin Wilson / May 11 2012

    The port knock thing can be a PITA.

  6. Boban Acimovic / May 20 2012

    Isn’t it Winbox client exploit? So, servers (routerboards) are not affected. I am not saying we should not protect them, on the contrary, but this exploit can’t hurt them, it can hurt just your Windows PC.

  7. Greg / May 21 2012

    @Boban
    There was an exploit for both. I’m less concerned with the client exploit and more concerned with the DoS attack you can perform against the MTK.

Leave a Comment

 

CAPTCHA

*