Hello,
Just wondering if someone can help me please - tonight we’ve been getting reports of slow responses at one location and I can see my connection tables are getting full from requests from the same (but) various IP address with many different ports.
192.168.0.10 is the RB IP from my ISP’s modem
Can anyone shed some light on this matter.
It’s so called DNS amplification attack, and it’s not actually against you. Your router is being misused to attack someone else. And it happens because you failed to secure it properly. You need to make sure that you do not accept DNS requests on WAN interface. You’re behind modem, but it looks like you have some kind of DMZ config and it forwards ports to your router.
Quick fix:
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=<WAN> protocol=udp
add action=drop chain=input dst-port=53 in-interface=<WAN> protocol=tcp
Many thanks for your reply. You were on the money. I did solve it that evening!
Not sure how this happened as this is the first rules in the firewall.
Thanks anyway.