today one of my Mikrotik routers started showing some really strange traffic. The cpu load went from around 15-20% normal to 50-100% at times.
The major traffic is showing up on Ethernet 1 as receive traffic. so i ran torch on eth1 (wan port) and im seeing a steady 2meg stream from 72.54.148.226, protocal UDP, source port 37162, destination port 80 to the interface IP on my mikrotik. the traffic stops there because it is not registering on eth2 (LAN)
i tried a firewall rule to block all traffic from that IP, but im still seeing all that traffic hitting the outside.
here is the rule i made.
add action=drop chain=input comment="udp 37162 block" disabled=no \
src-address=72.54.148.226
i tried just using the forward chain, but i didn't see any statistics counting up when i did.
ive already tracked down the owner of that block of ip's and e-mailed their abuse.
I also disabled the www. service for web access to the router, just in case... didn't seem to help.
anyone have any suggestions?