Mikrotik Address List

Mikrotik is arguably one of the most powerful routing platforms on the market for the money.  It’s highly salable and it’s customization is endless.  The original script was developed by a fellow consultant  Joshaven Potter and I have updated to not spam his servers.

The Problem:  
When your network connection is internet facing to the public you sometimes need some help to determine what is a legitimate connection versus a malicious connection.

What do you do?
The ability to solve this with Mikrotik is not only effective, but simple. Address Lists! You can simply add the bad address “in jail” for 30 days until they change their behavior.

Integration:
This has been simplified with the use of scripts that can be copied and pasted into the Mikrotik Terminal.  This will allow the Mikrotik to regularly download (3 days) the list and automatically update.

In order to use any of the following lists you will want to add a rule to your input or forward chains like the following:

add chain=input action=drop comment="Drop new connections from blacklisted IP's to this router" \
connection-state=new src-address-list=blacklist in-interface=ether1

(or your uplink interface)

Spamhaus List:
The DROP list will not include any IP address space under the control of any legitimate network. DROP will only include netblocks allocated directly by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations.”


/system script add name="DownloadSpamhaus" source={
/tool fetch url="http://cloud.ciaworks.com/scripts/spamhaus.rsc" mode=http;:log info "Downloaded spamhaus.rsc from ciaworks.com";}
/system script add name="ReplaceSpamhaus" source={
/ip firewall address-list remove [find where comment="SpamHaus"]
/import file-name=spamhaus.rsc;:log info "Removed old Spamhaus records and imported new list";}
/system scheduler add comment="Download spamnaus list" interval=3d \
  name="DownloadSpamhausList" on-event=DownloadSpamhaus \
  start-date=jan/01/1970 start-time=16:51:12
/system scheduler add comment="Apply spamnaus List" interval=3d \
  name="InstallSpamhausList" on-event=ReplaceSpamhaus \
  start-date=jan/01/1970 start-time=16:56:12

dShield List:
This list summarizes the top 20 attacking class C (/24) subnets over the last three days. The number of ‘attacks’ indicates the number of targets reporting scans from this subnet.


/system script add name="Download_dshield" source={
/tool fetch url="http://cloud.ciaworks.com/scripts/dshield.rsc" mode=http;:log info "Downloaded dshield.rsc from ciaworks.com";}
/system script add name="Replace_dshield" source={
/ip firewall address-list remove [find where comment="DShield"]
/import file-name=dshield.rsc;:log info "Removed old dshield records and imported new list";}
/system scheduler add comment="Download dshield list" interval=3d \
  name="DownloadDShieldList" on-event=Download_dshield \
  start-date=jan/01/1970 start-time=17:01:12
/system scheduler add comment="Apply dshield List" interval=3d \
  name="InstallDShieldList" on-event=Replace_dshield \
  start-date=jan/01/1970 start-time=17:06:12

Malc0de List:
The files below will be updated daily with domains that have been indentified distributing malware during the past 30 days.


/system script add name="Download_malc0de" source={
/tool fetch url="http://cloud.ciaworks.com/scripts/malc0de.rsc" mode=http;:log info "Downloaded malc0de.rsc from CIAworks.com";}
/system script add name="Replace_malc0de" source={
/ip firewall address-list remove [find where comment="malc0de"]
/import file-name=malc0de.rsc;:log info "Removed old malc0de records and imported new list";}
/system scheduler add comment="Download malc0de list" interval=3d \
  name="Downloadmalc0deList" on-event=Download_malc0de \
  start-date=jan/01/1970 start-time=17:01:12
/system scheduler add comment="Apply malc0de List" interval=3d \
  name="Installmalc0deList" on-event=Replace_malc0de \
  start-date=jan/01/1970 start-time=17:06:12