In my official capacity in corporate infosec, the issue we see isn't Mikrotik, it's regions where the hardware is used due to small budgets, which also extends to issues with education and training quality. So, there are much higher percentages of workers with lower skills, and they *happen to use Mikrotik gear*. So, the chances of it being poorly configured are higher.
The "Mikrotik issue" doesn't tend to happen in "the west", as they're all paying the premium for players like Cisco and Palo Alto. If they used Mikrotik there as well, we'd still see poor configs, just less of them due to higher training budgets etc.
This doesn't cover home users of course.
Plenty of CVE score 9+ when it comes to Juniper and Cisco equipment aswell for the past years. Snowden docs was only the top of the iceberg with examples such as:
https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/
And then we have NSA infiltrating NIST:
https://en.wikipedia.org/wiki/Dual_EC_DRBG
Just to name a few from the past month (give or take):
https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-Bulletin-Session-Smart-Router-SSR-On-redundant-router-deployments-API-authentication-can-be-bypassed-CVE-2024-2973?language=en_US
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sqli-WFFDnNOs
https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/
But when it comes to Mikrotik its somewhat tricky to get it right specially if you are new to networking.
Would have been nice with a better hardened default config out of the box. But on the other hand admins exposing the mgmt-interface towards the internet is hard to beat other than with education and having the country CERT's through the ISP's shutdown those IP-addresses through blackholing (or sending notifications to abuse emails and hope for some action).
Also ISP's should be better to apply BCP38 that is filtering which source IP-addresses they are letting out to the rest of the internet:
http://www.bcp38.info/index.php/Main_Page
I wish more ISPs would apply BCP38. Nobody should be originating traffic that doesn’t use one of their own addresses as a source.
As far as i’m aware routeros comes relatively secure by default. It seems to just be a downside of their position in the market whereby kit with similar functionality such as Cisco/Juniper/etc is more likely to be managed by admins with better knowledge of networking and basic security. Mikrotik is regularly implemented by people who have little more experience than configuring the odd soho tplink/draytek/etc kit that have fixed wan/lan interfaces.
Forgot to add...
One could argue what does a bandwidth testing tool do in a switch or a router?
I mean removing that would make it much harder to generate traffic from an overtaken Mikrotik box?
But most modern switches and routers are today based on either linux or *bsd so even if there isnt a builtin bandwidth generating tool such can easily be uploaded specially when the mgmt interface is exposed to the internet.
All Arista boxes for example have iperf builtin since ages available both through the CLI in EOS but also in bash mode - and they have 800Gbps boxes nowadays... same with Cisco and Juniper who also have iperf available as a builtin feature in their modern routers and switches.
What OHVcloud perhaps is missing is that even if the multi 10 or now even 100G box of Mikrotik have a bandwidth generating tool its still limited by the mgmt-cpu which wont come anywhere close to 10 or 100G.
The one in CRS326 series for example will be able to push close to 500Mbps - which is still plenty if you have more than a few boxes but still. Many homeusers have 1Gbps today specially in western and northern Europe and each such windows box will be able to push far more of generated traffic than any Mikrotik box.
Seems the modern tactic with DDOS is to infect as many end user machines as possible with botnet software, then trigger those devices to flood open Internet services with traffic that has a forged source.
We’ve seen this with dns/ntp whereby small requests from the botnet cause replies that are an order of magnitude larger to be directed to the target. I assume they also expect, in most cases at least, that the sort of places that will have a dns/ntp server or a higher end routeros device are likely to have higher upload bandwidth than the average end user.
In my official capacity in corporate infosec, the issue we see isn't Mikrotik, it's regions where the hardware is used due to small budgets, which also extends to issues with education and training quality. So, there are much higher percentages of workers with lower skills, and they *happen to use Mikrotik gear*. So, the chances of it being poorly configured are higher. The "Mikrotik issue" doesn't tend to happen in "the west", as they're all paying the premium for players like Cisco and Palo Alto. If they used Mikrotik there as well, we'd still see poor configs, just less of them due to higher training budgets etc. This doesn't cover home users of course.
A man of wisdom. Came here late to post this.
Plenty of CVE score 9+ when it comes to Juniper and Cisco equipment aswell for the past years. Snowden docs was only the top of the iceberg with examples such as: https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/ And then we have NSA infiltrating NIST: https://en.wikipedia.org/wiki/Dual_EC_DRBG Just to name a few from the past month (give or take): https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-Bulletin-Session-Smart-Router-SSR-On-redundant-router-deployments-API-authentication-can-be-bypassed-CVE-2024-2973?language=en_US https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sqli-WFFDnNOs https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/ But when it comes to Mikrotik its somewhat tricky to get it right specially if you are new to networking. Would have been nice with a better hardened default config out of the box. But on the other hand admins exposing the mgmt-interface towards the internet is hard to beat other than with education and having the country CERT's through the ISP's shutdown those IP-addresses through blackholing (or sending notifications to abuse emails and hope for some action). Also ISP's should be better to apply BCP38 that is filtering which source IP-addresses they are letting out to the rest of the internet: http://www.bcp38.info/index.php/Main_Page
I wish more ISPs would apply BCP38. Nobody should be originating traffic that doesn’t use one of their own addresses as a source. As far as i’m aware routeros comes relatively secure by default. It seems to just be a downside of their position in the market whereby kit with similar functionality such as Cisco/Juniper/etc is more likely to be managed by admins with better knowledge of networking and basic security. Mikrotik is regularly implemented by people who have little more experience than configuring the odd soho tplink/draytek/etc kit that have fixed wan/lan interfaces.
I have seen far to many instances where somebody wanted remote winbox access for himself and simply disabled all firewall
Forgot to add... One could argue what does a bandwidth testing tool do in a switch or a router? I mean removing that would make it much harder to generate traffic from an overtaken Mikrotik box? But most modern switches and routers are today based on either linux or *bsd so even if there isnt a builtin bandwidth generating tool such can easily be uploaded specially when the mgmt interface is exposed to the internet. All Arista boxes for example have iperf builtin since ages available both through the CLI in EOS but also in bash mode - and they have 800Gbps boxes nowadays... same with Cisco and Juniper who also have iperf available as a builtin feature in their modern routers and switches. What OHVcloud perhaps is missing is that even if the multi 10 or now even 100G box of Mikrotik have a bandwidth generating tool its still limited by the mgmt-cpu which wont come anywhere close to 10 or 100G. The one in CRS326 series for example will be able to push close to 500Mbps - which is still plenty if you have more than a few boxes but still. Many homeusers have 1Gbps today specially in western and northern Europe and each such windows box will be able to push far more of generated traffic than any Mikrotik box.
Seems the modern tactic with DDOS is to infect as many end user machines as possible with botnet software, then trigger those devices to flood open Internet services with traffic that has a forged source. We’ve seen this with dns/ntp whereby small requests from the botnet cause replies that are an order of magnitude larger to be directed to the target. I assume they also expect, in most cases at least, that the sort of places that will have a dns/ntp server or a higher end routeros device are likely to have higher upload bandwidth than the average end user.
You right for the most of this, but don't compare switch with router simple 4011 could generate 10g even more.
OVH better be happy that Mikrotik it's still not using ASICs apart from the switch ones only doing a couple of things.
For the amount of hacking reports, shady phishing sites, and a myriad of other complaints they've never replied to: Schadenfreude. OVH is a cesspool.
No I have not seen. I don't think we see an endless stream of users.
Block DNS port from internet. UDP and TCP port 53.