CPU loads 100%

RouterOS General
1

Hello.

Today i founded that on my Routerboard 2011uas-2hnd-in CPU loads 100%.

[admin@MikroTik] /ip dns> print         
servers: 
        dynamic-servers: 212.75.210.62,212.75.211.2
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 143KiB




[admin@MikroTik] > /tool profile
NAME                    CPU        USAGE
firewall-mgmt           all         0.5%
wireless                all         0.5%
ethernet                all         4.5%
console                 all         0.5%
dns                     all          82%
traffic-flow            all           0%
firewall                all           1%
networking              all         0.5%
winbox                  all           1%
logging                 all           0%
management              all         8.5%
bridging                all           0%
unclassified            all           1%

How solved my problem?

Best regards, Dmitriy/

2

Secure the DNS server on your router.

Configure your firewall input chain correctly.

3

tomaskir
May be you can help me with this?
Google says me that spell

chain=input action=drop protocol=udp dst-port=53

but after this rule Internet down :frowning:

4

Do something like this:

/ip firewall filter
add chain=input comment="Input chain" connection-state=established
add chain=input connection-state=related
add chain=input connection-state=invalid action=drop
add chain=input protocol=icmp
add chain=input dst-port=8291 protocol=tcp
add chain=input in-interface="LAN Interface Name"
add action=log chain=input disabled=yes log-prefix=Drop
add action=drop chain=input

Replace the LAN interface name according to your needs.

5

Don’t use such rule, you are blocking all traffic to port 53 and thus blocking DNS. Just limit queries to your local LAN address range:

chain=input action=drop protocol=udp dst-port=53 src-address=!10.10.10.0/24

Replace “10.10.10.0/24” with your local LAN range

6

i modify last rule

chain=input action=drop protocol=udp in-interface=ether1-gateway dst-port=53

and that help me down CPU to 10-20% :slight_smile:
But now i see that http://d.pr/i/2FQu It’s not dangerous for my RB? What does mean this statistic http://d.pr/i/XEQZ ?

7

You got attacked with a DNS amplification atack, because your router was not properly firewalled.

The counter on that rule is so high, because the attack is still in progress, but the firewall is blocking it.

8

LAN interface = WAN? If yes, after this rules my internet is down :frowning:

9

LAN interface is your Local Area Network interface.
The interface where your clients connect on, NOT the internet interface.

That firewall blocks all communication from everywhere, except the LAN interface specified, connections are allowed there.

Post “/interface export compact” and I will modify it according to your needs.

10 



[admin@MikroTik] > /interface export compact 
# aug/01/2013 20:19:18 by RouterOS 6.1
# software id = 2WQI-40PS
#
/interface bridge
add admin-mac=%secret mac% auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=russia disabled=no distance=indoors \
    ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
set 10 name=sfp1-gateway speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] authentication-types=gpe mode=dynamic-keys wpa-pre-shared-key=%secret key%\
    gper-shared-key=%secret key%
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1

I use ether1-ether5. Where:
ether1 -Internet cable from my ISP
ether2-ether5 - Local
ether6-ether10 - empty

11

Proper firewall:

/ip firewall filter
add chain=input comment="Input chain" connection-state=established
add chain=input connection-state=related
add chain=input connection-state=invalid action=drop
add chain=input protocol=icmp
add chain=input dst-port=8291 protocol=tcp
add chain=input in-interface=bridge-local
add action=log chain=input disabled=yes log-prefix=Drop
add action=drop chain=input
12

tomaskir
Thanks a lot.
Can you tell me, what mean this rule

add action=log chain=input disabled=yes log-prefix=Drop

How i understand, that rule log something or something else?

13

Its a rule that logs all the dropped traffic into the log. Its disabled, I enable it if I need to test things.

You can read more about all of this on http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

14

tomaskir
Thank you. :slight_smile:

15

My RB450G got DNS attack today.
This topic is very useful and it work for me.
Thank you very much for sharing.

16

its works perfectly in CCR -1036.
Thanks