MikroTik Port Scan Attack and Prevention

Attackers use port scan attack to determine which ports on your router or on the network are open and available. By running a port scan attack on a router or on a network, the attacker will know which ports are open and are listening to information. Also, he can know what version the application is using. All this would help the attacker to use port scan as a “gate” for starting an attack and penetrating our network.

We have already seen port scan before in this book when we were using NMAP to discover which ports are open on the MikroTik router. This is exactly what port scan is.

Let’s directly do a LAB to see how port scan attack runs and how we can protect against it.

LAB: Port Scan Attack and Prevention

I am still having the same scenario. The attacker is on the internet and he is willing to do a port scan to our router which has a public IP.

With the help of NMAP on Kali Linux, a port scan can happen as the following:

You can see, the port scan attack is working on my MikroTik router.

Now we need to disallow the port scan to happen. To do that, we have to think of the logic – where does port scan happen normally?

Well, it can happen to the MikroTik router itself, or it can happen to the devices inside my network, meaning that the port scan attack hits the router trying to guess its ports that they are open, or will pass via the router to go to the inside devices to guess the open ports on those devices.

Meaning that I must disable port scan as the following:

  • To the router (hint: chain input).
  • Via the router (hint: chain forward).

Let’s start with the 1st rule. In this rule, I will have to detect if there is a port scan attack happening to the router, and if yes then the IP of the source issuing this attack will go to an address list. The rule which will come directly after it, will be to just drop any IP which is the address list from the 1st rule.

Let me show you that:

[mepr-show rules=”319″ unauth=”message”]

This rule says the following: any TCP traffic coming to the router itself on port Ether1 and it is doing port scan, then add the source IP address in an address list called “Port-Scan” and let it stay for 1 day.

Now you may ask a question, how the router will know that this is port scan.

Well, this is what you see in the “Extra” tab under PSD.

PSD means Port Scan Detection. The MikroTik router will have to make some calculation to guess if this is a port scan or not and the calculation will be based on:

  • Weight Threshold
  • Delay Threshold
  • Low Port Weight
  • High Port Weight

Let me explain how the process will happen. You know that there are in total 65535 ports available. In case the router detects a port scan, and he sees if the port scans are from port 1 to 1023 (also known as well-known ports). If yes, it will add 3 points (Low Port Weight) for each port detected being scanned. If the scan is from port 1025 and above, then it will add 1 point for each port detected being scanned (High Port Weight). If within 3 seconds (Delay Threshold) the sum of the total points is 21 or above (Weight Threshold) then the MikroTik router knows that there is a port scan attack happening.

Let me try to do a port scan now and see if the Kali Linux IP will go to the address list called Port-Scan.

Indeed, the rule has detected a port scan attack and has put the IP of Kali Linux in the Port-Scan address list. However, if we keep it like this, nothing will happen and the attacker will be always able to do the port scan attacks. That’s why we need to make a 2nd rule saying that any IP inside the Port-Scan address list to be dropped. Let’s do it:

Excellent. Now I have the 2 rules ready to protect my router from incoming port scan to the router itself. Let’s issue the port scan attack again from Kali Linux and see what the result would be:

Look at that, the attacker couldn’t scan for the open ports on the MikroTik router, and he got no-response ????

Also, when I look to the rules, I see the dropping rule has increased its bytes and packets, meaning that it was dropping the port scan to the router:

Excellent! This will solve the problem of port scan coming to the router itself. Now we have to do 2 rules for the port scan passing via the router to other devices. The rules are going to be exactly the same as the ones that we have created them, but we should use “forward” chain instead of “input” chain.

This rule makes that any port scan traffic passing via the router to go to the same address-list called Port-Scan.

Now I need to apply a rule to drop the IPs in the Port-Scan address list on the “Forward” chain:

Very good! Now I have the 4 rules ready to detect and drop any port scan coming to the router or passing via the router to other devices.

To finish the LAB, I only need to share with you the script for the port scan rules:


/ip firewall filter

add action=add-src-to-address-list address-list=Port-Scan address-list-timeout=1d chain=input comment=\

    “Port scan on the Input chain added for 1 day in the address list Port-Scan” in-interface=ether1 protocol=tcp psd=21,3s,3,1

add action=drop chain=input comment=”Drop Port Scan address list for Input Chain” src-address-list=Port-Scan

add action=add-src-to-address-list address-list=Port-Scan address-list-timeout=1d chain=forward comment=\

    “Port scan on the Foward chain added for 1 day in the address list Port-Scan” in-interface=ether1 protocol=tcp psd=21,3s,3,1

add action=drop chain=forward comment=”Drop Port Scan address list for Forward Chain” src-address-list=Port-Scan


This is all what I wanted to explain this section, I hope you enjoyed it and see you in the upcoming one ????



Submit a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Please Login to Reply or add a comment!