CPU usage is very high after firmware upgrade 2011

nas · September 7, 2015, 8:29am

2011UiAS after firmware upgrade to 3.24, CPU usage quadrupled.
Router is in the very basic “Quick set” configuration, no features are used at all
weekly.gif

nas · September 7, 2015, 10:41am

DNS service seems the cause of this
Fiksavimas.PNG

nas · September 7, 2015, 10:58am

hmm…

/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=(mywanport)ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=(mywanport)ether1 protocol=tcp

seem to solve it for now - most likely it is just a coincidence with firmware update

jebz · September 7, 2015, 11:27am

nas:

hmm…
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=(mywanport)ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=(mywanport)ether1 protocol=tcp
seem to solve it for now - most likely it is just a coincidence with firmware update

Can you open a terminal on the router and past this command -
/ip firewall export file=firewall_DNS-issue
Can you then open the file “firewall_DNS-issue.rsc” and post the results on the forum. It’s strange that the default rules aren’t blocking this or common changes to the rules are enabling this attach.

nas · September 7, 2015, 3:02pm

there is nothing there:

# sep/07/2015 17:48:21 by RouterOS 6.31
# software id = ULJX-1WYB
#
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
# those 2 lines below are the default config
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

BartoszP · September 7, 2015, 3:26pm

Seems that you are victim of DOS attack.
There is no way to solve it as your address is “well known” open DNS so zombie-hosts are using it to amplify their attack for the real victim.
How ? They are sending small DNS questions to your router and the answer goes to real victim as the primary packets are “prepared”.
Your router is answering - now it is not - to suspected originator with “big answer” and the victim is flooded with big traffic of answers for fake DNS questions.

jebz · September 7, 2015, 11:51pm

nas:

there is nothing there:

# sep/07/2015 17:48:21 by RouterOS 6.31
# software id = ULJX-1WYB
#
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
# those 2 lines below are the default config
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

It should look like -

add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid

These rules say only ICMP and input not from ether1 can be accepted by the router.

nas · September 8, 2015, 5:31am

I added this. It is really strange that it was not in the default config. Perhaps after firmware and os upgrade (3.24, 6.31) config was deleted

nas · September 8, 2015, 5:34am

Yep. You are right, that was a real hole in the config.