I’ve been running a box with Router OS v7.15.3 for just about a year with no issues. Recently, my ISP contacted me regarding possible malicious activity coming from my router: they told me that my routerboard was possibly the target of a DNS amplification attack and was sending high volumes of traffic upstream to them. My firewall set up was fairly standard and 99% adapted from the beginner walkthrough, and I did view dropped traffic on the firewall counter (chain=input action=drop). Also, allow-external-dns was set to false.
My network is set up with several devices connected to the routerboard. Router controls DHCP server, and points clients to my raspberry pi running pi hole and unbound.
Anyways, I re-flashed rOS firmware with netinstall and defaulted the router after discussing with my ISP, and allegedly, my network still “sends high volumes of DNS traffic” upstream. While torching my ether1 port (upstream), I see high volumes of traffic coming IN from random sources to port 53, but NOTHING going from my router upstream (at least from what I can tell). This is what puzzles me the most. Logging suggests that all these aberrant requests are indeed being dropped by my firewall rules. Does this suggest that my ISP has perhaps misread their side of traffic? I believe that I’m doing everything right on my end, and I can’t really seem to further diagnose this at all. My current rules are below:
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment=defconf:multicast list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add list=ddos-attackers
add list=ddos-targets
add address=192.168.88.0/24 list=DNS-Clients
add address=192.168.88.3 list=DNS-Servers
/ip firewall filter
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
protocol=tcp tcp-flags=syn,ack
add action=fasttrack-connection chain=forward comment=\
"Enable fasttrak for all zones" connection-state=established,related \
hw-offload=yes
add action=jump chain=input comment="PUBLIC (WAN) ---> ROUTER" \
in-interface-list=WAN jump-target=WAN-TO-ROUTER
add action=accept chain=WAN-TO-ROUTER comment=L2TP/IPSec dst-port=500,4500 \
protocol=udp
add action=accept chain=WAN-TO-ROUTER dst-port=1701 ipsec-policy=in,ipsec \
protocol=udp
add action=accept chain=WAN-TO-ROUTER protocol=ipsec-esp
add action=accept chain=WAN-TO-ROUTER protocol=gre
add action=accept chain=WAN-TO-ROUTER comment=SSH disabled=yes dst-port=22 \
protocol=tcp
add action=return chain=WAN-TO-ROUTER
add action=jump chain=output comment="PUBLIC <--- ROUTER" jump-target=\
ROUTER-TO-PUBLIC out-interface-list=WAN
add action=return chain=ROUTER-TO-PUBLIC
add action=jump chain=input comment="LAN ---> ROUTER" in-interface-list=LAN \
jump-target=LAN-TO-ROUTER
add action=accept chain=LAN-TO-ROUTER
add action=jump chain=output comment="LAN <--- ROUTER" jump-target=\
ROUTER-TO-LAN out-interface-list=LAN
add action=accept chain=ROUTER-TO-LAN
add action=jump chain=forward comment="PUBLIC ---> LAN" in-interface-list=WAN \
jump-target=WAN-TO-LAN out-interface-list=LAN
add action=accept chain=WAN-TO-LAN connection-state=\
established,related,untracked
add action=drop chain=WAN-TO-LAN connection-state=invalid
add action=drop chain=WAN-TO-LAN connection-nat-state=!dstnat \
connection-state=new
add action=accept chain=WAN-TO-LAN
add action=jump chain=forward comment="PUBLIC <--- LAN" in-interface-list=LAN \
jump-target=LAN-TO-PUBLIC out-interface-list=WAN
add action=accept chain=LAN-TO-PUBLIC
add action=jump chain=input comment="GUEST ---> ROUTER" in-interface-list=\
guest jump-target=GUEST-TO-ROUTER
add action=drop chain=GUEST-TO-ROUTER protocol=icmp
add action=return chain=GUEST-TO-ROUTER
add action=jump chain=output comment="GUEST <--- ROUTER" jump-target=\
ROUTER-TO-GUEST out-interface-list=guest
add action=return chain=ROUTER-TO-GUEST
add action=jump chain=forward comment="PUBLIC ---> GUEST" in-interface-list=\
WAN jump-target=WAN-TO-GUEST out-interface-list=guest
add action=return chain=WAN-TO-GUEST
add action=jump chain=forward comment="PUBLIC <--- GUEST" in-interface-list=\
guest jump-target=GUEST-TO-PUBLIC out-interface-list=WAN
add action=return chain=GUEST-TO-PUBLIC
add action=jump chain=forward comment="LAN ---> GUEST" in-interface-list=LAN \
jump-target=LAN-TO-GUEST out-interface-list=guest
add action=drop chain=LAN-TO-GUEST
add action=jump chain=forward comment="LAN <--- GUEST" in-interface-list=\
guest jump-target=GUEST-TO-LAN out-interface-list=LAN
add action=drop chain=GUEST-TO-LAN
add action=accept chain=input comment="[Default policy] INPUT" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input log-prefix="[DROPPED-IN]"
add action=accept chain=forward comment="[Default policy] FORWARD" \
connection-state=established,related,untracked
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface-list=WAN
add action=reject chain=forward comment="Forbid connections between networks" \
disabled=yes reject-with=icmp-net-prohibited
add action=accept chain=forward
add action=accept chain=output comment="[Default policy] OUTPUT"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets \
src-address-list=ddos-attackers
add action=drop chain=prerouting disabled=yes in-interface-list=WAN port=53 \
protocol=udp
/ip firewall service-port
set ftp disabled=yes
And, here’s what a typical torch output on ether1 looks like, filtered by :53
MAC-PROTOCOL SRC-ADDRESS SRC-PORT DST-PORT TX RX TX-PACKETS RX-PACKETS
ip 17.253.201.8 53 (dns) 22894 728bps 984bps 1 1
ip 17.253.201.8 53 (dns) 45741 728bps 1208bps 1 1
ip 17.253.206.8 53 (dns) 40601 728bps 984bps 1 1
ip 43.136.47.117 80 (http) 53 (dns) 0bps 1752bps 0 3
ip 45.76.228.95 34370 53 (dns) 0bps 3.5kbps 0 6
ip 73.0.21.153 27017 53 (dns) 0bps 26.7kbps 0 45
ip 75.141.130.253 53 (dns) 53 (dns) 0bps 2.3kbps 0 4
ip 84.53.139.129 53 (dns) 29049 872bps 1152bps 1 1
ip 84.53.139.129 53 (dns) 30386 816bps 1048bps 1 1
ip 84.53.139.129 53 (dns) 51682 0bps 0bps 0 0
ip 96.7.49.129 53 (dns) 18249 816bps 1048bps 1 1
ip 96.7.49.129 53 (dns) 8927 0bps 0bps 0 0
ip 111.59.56.6 28001 53 (dns) 0bps 2.0kbps 0 3
ip 119.147.192.5 8524 53 (dns) 0bps 0bps 0 0
ip 119.147.192.5 14528 53 (dns) 0bps 680bps 0 1
ip 119.147.192.9 31521 53 (dns) 0bps 0bps 0 0
ip 119.147.192.9 64063 53 (dns) 0bps 680bps 0 1
ip 119.147.192.9 26292 53 (dns) 0bps 0bps 0 0
ip 119.147.192.9 23738 53 (dns) 0bps 0bps 0 0
ip 119.147.192.9 9408 53 (dns) 0bps 680bps 0 1
ip 119.147.192.9 15052 53 (dns) 0bps 680bps 0 1
ip 119.147.192.24 61997 53 (dns) 0bps 0bps 0 0
ip 119.147.192.24 33845 53 (dns) 0bps 0bps 0 0
ip 119.147.192.24 25214 53 (dns) 0bps 680bps 0 1
ip 119.147.192.47 19236 53 (dns) 0bps 0bps 0 0
ip 119.147.192.47 36174 53 (dns) 0bps 680bps 0 1
ip 119.147.192.47 22105 53 (dns) 0bps 680bps 0 1
ip 119.147.192.47 45239 53 (dns) 0bps 680bps 0 1
ip 119.147.192.47 63437 53 (dns) 0bps 0bps 0 0
ip 119.147.192.47 63462 53 (dns) 0bps 0bps 0 0
ip 119.147.192.72 49713 53 (dns) 0bps 2.0kbps 0 3
ip 119.147.192.72 6484 53 (dns) 0bps 0bps 0 0
ip 119.147.192.77 27145 53 (dns) 0bps 2.0kbps 0 3
ip 119.147.192.77 4805 53 (dns) 0bps 0bps 0 0
ip 119.147.192.78 13926 53 (dns) 0bps 0bps 0 0
ip 119.147.192.78 52443 53 (dns) 0bps 2.0kbps 0 3
ip 119.147.192.120 16641 53 (dns) 0bps 0bps 0 0
ip 119.147.192.120 11604 53 (dns) 0bps 680bps 0 1
ip 119.147.192.120 30660 53 (dns) 0bps 0bps 0 0
ip 119.147.192.121 19844 53 (dns) 0bps 0bps 0 0
ip 119.147.192.125 58470 53 (dns) 0bps 0bps 0 0
ip 119.147.192.125 28042 53 (dns) 0bps 0bps 0 0
ip 119.147.192.125 46250 53 (dns) 0bps 680bps 0 1
ip 119.147.192.125 4781 53 (dns) 0bps 680bps 0 1
ip 119.147.192.125 26037 53 (dns) 0bps 680bps 0 1
ip 119.147.192.125 36308 53 (dns) 0bps 0bps 0 0
ip 119.147.192.125 34803 53 (dns) 0bps 0bps 0 0
ip 119.147.192.152 36139 53 (dns) 0bps 2.0kbps 0 3
ip 119.147.192.152 63023 53 (dns) 0bps 0bps 0 0
ip 119.147.192.152 25200 53 (dns) 0bps 0bps 0 0
ip 119.147.192.155 16478 53 (dns) 0bps 680bps 0 1
ip 121.201.41.148 28001 53 (dns) 0bps 2.0kbps 0 3
ip 149.28.118.185 35680 53 (dns) 0bps 3.5kbps 0 6
ip 173.2.241.87 58443 53 (dns) 0bps 7.5kbps 0 12
If anyone has any insight, I’d greatly appreciate it. My ISP refuses to re-enable my internet service without solving this issue, so I’m trying to not have to go out to get a different router.