Hi, I have hAP ax^3 with ROS 7.16.1. ISP is just an ethernet cable connected to ether1, identification by MAC address. I alo have static external IP.
High and contant level of outbond traffic has been observed, but I have no clue where it came from.
On bridge level you can just see regula home level of traffic.
Any clue where it may came from or how to find root cause?
Just in case, there are my settings with hided sensitive info in attachment.
mkt settings1.txt (12.6 KB)
It’s a little early here and I haven’t had any coffee, but I dont see any “input” chain in your ip firewall filter. I assume this means access to your router addresses is open to the Internet, although Ive never actually run a config like that. This needs to be addressed immediately.
Thanks! I deactivated access via API, API-SSL and SSH to aviad furthr bruteforcing. However, the outbound traffic is still there:
Please restore the input rules of the defconf firewall. It’s not enough to just disable those services that you listed. For instance, your router accepts remote DNS requests and DNS amplification attack (https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/) is a thing!
Here are the defconf’s IPv4 filter rules for the input chain:
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
Thanks! I may assume that this filtering may affect my remote access to the router. I cannot afford to loose it as I have only remote access.
I mean this may be an issue for me:
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
To access the router remotely, you should configure a VPN, like WireGuard (you can also use the built-in Back-To-Home feature https://help.mikrotik.com/docs/spaces/ROS/pages/197984280/Back+To+Home which does the WG setup for you). From the outside you establish the VPN tunnel (for instance, install and configure the WireGuard app on your phone or PC), then access the router using its local IP address(es).
You should not leave the WinBox port open to the internet!
I see.. what about web access to the router? I changed it to another port. Will I keep it in case of the following?
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
The rule
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
is the important one that protects your router against abuses from the Internet. Do not remove it! Of the five rules that I posted above, only the CAPsMAN rule is optional (in case you don’t use CAPsMAN). The other 4 are all important.
About web access to the router: Same with WinBox, establish the VPN connection to your router and use WebFig through it. If you use BTH (or configure WireGuard and add the WireGuard interface to the LAN interface list) then all remote WG devices have access to your router as though they were located in your LAN.
Since internet access to your router seems to have been open for a while it may have been brute force hacked. The only way to be sure it’s safe is to do a netinstall, but you probably need to be local.
You should at least verify that local users haven’t changed. Check the output of
/user export show-sensitive verbose
matches what you would expect. Make sure you still have full access to the router with your admin user, and there are no new users with full access. Make sure your user has a complex password. This is the very minimum that needs to be done.
I highly recommend you set up some kind of VPN access to use for management and do not allow any management functions over the WAN interface.
Edit:
Also verify the output of
/user/ssh-keys/ print
to verify there are not any ssh keys installed that aren’t yours!
Note: Do NOT POST the outputs of these commands to the forum! They are just for you to review.
That you see traffic on the WAN that you don’t see on the bridge means that the outbound traffic is generated by your router. It is likely that you router is being used to attack others on the Internet using DNS amplification, as referenced by others. The easy way to both see if this is happening is to insert these rules. (If the unexplained outbound traffic stops, there’s your answer.) This will not disable any sort of remote access.
/ip/firewall/filter
add chain=input in-interface-list=WAN protocol=udp dst-port=53 action=drop
add chain=input in-interface-list=WAN protocol=tcp dst-port=53 action=drop
Let us know if this stops the undesired traffic flow!
Others are right that:
The default firewall (as others have suggested) is adequate. It automatically allows dst-nat (port forwarding) traffic. If you want to allow other outside traffic, you will have to add an “accept” rule for them. (This has to be placed *before> the deny rules.)
Also as others have suggested, the best (correctest 
) solution is to use some kind of VPN wherever possible. Most of the protocols you expose though accept rules or port forwarding may have some sort of authentication/encryption built in, but how effective these are varies quite a bit. VPNs are designed for this use case from the start.
Be aware that there are/were instances where Mikrotik devices have been compromised permanently. If you had a strong password set and updated the software this is less likely. Were I in your place I would do a netinstall on the device to completely reformat/clear/reset the device.
@eomcsqwipik: Once you’ve cleaned up your firewall, or preferably reset the entire router to factory default settings, and still see abnormally high outbound traffic, my guess is that you might have a compromised PC on your LAN that’s part of a botnet.
P.S.
Never, ever open any ports from the router to the internet. Use a VPN like WireGuard or ZeroTier instead.
There is no any wire connection to the router apart from wire from ISP. This what I am 100% sure.
Thanks for the adivse! I add these rules and at a glance there is no anymore high constant outbond traffic!
What I also did recently:
I also have NAS over WIFI (don’t ask me why it is like this 
), and I wish to keep connection to it. So far uses SSH connection via unusual port.
Using non-standard ports is not protection … a lot of port scanning is going on and somebody will discover the service behind non-standard port sooner or later. It’s just the matter of time. So a kind of VPN (e.g. wireguard) is the way to go. If you have to leave “raw” service available, at least implement port-knocking … it’s not very probable for port scanner to blindly hit the right sequence to open up service port (but not impossible).
I would still recommend you to netinstall router … and configure it from scratch. You can use configuration export (text format) to remind yourself about peculiarities … but I’d definitely stick to the default firewall rules and only adjust (add) a few things you absolutely need. After ROS device is wide open to internet for a while, it is likely to be compromised … and sometimes that’s not obvious.
Just writing to emphasize the points made by @mkx. While non-standard ports, port knocking, etc. are useful in cutting down on the number of log entries or in mitigating CPU usage from failed authentication attempts in case a bot/botnet really takes a liking to you, actual security is provided by services intended for this purpose and use properly implemented cryptography.
And I too would netinstall the device the next time I allocate some time to mess around with configuring it, just for peace of mind.