Ok, so for about few weeks now I’m getting very excessive rx traffic on my WAN interface, that preventing to doing anything. Torching I usually see something like this:
As I don’t see any tx traffic on my bridge, I’m assuming that this is not caused by my LAN.
109.86.234.0/24 subnet is belong to my ISP, but I’m not in it (178.150.110.0/24 if it matters). The question is, how do I drop this properly? Simply chain=input interface=ether1 src-address=31.216.144.0/24 doesn’t do anything useful. I’m definitely missing something, can someone help?
My best guess is, you have the proxy turn on the Mikrotik without securing it from the outside world. Get that fixed and hopefully it will deal with the issue.
It’s not stolen proxy problem as there is no traffic back. Nor thru the router. I would just tarpit incoming traffic from this ip. As it is tcp it will be effective. You can also try to contact the ip owner with abuse report and also you can ask your provider to block it if tarpit doesn’t solve the problem.
BTW. I would be angry also in such case.
Simply chain=input interface=ether1 src-address=31.216.144.0/24 doesn’t do anything useful.
Because it’ on forward chain I think. A web server reply, routed to you? Ask your provider to block unwanted traffic… and do a packet sniff to see, what is it.
