Good morning all,
I’ve had some very good success with my Mikrotik setup and utilizing queues and dynamic firewall rules for SSH attacks, spammers, etc. The latest problem I’m seeing is a increased number of outbound traffic all going to the same IP. Whether its in Germany or Europe, its just flooding from a few internal IP’s to those particular outbound IP’s. I’ve started monitoring it and as my outbound traffic climbs I run torch and notice there are a number of IP’s transmitting out of my network to those SRC IP’s. I can go under the firewall and drop the traffic to those destination IP’s and it works, until I guess it bounces to another IP.
So my thought is to make this dynamic. I’m wondering of how to implement a SRC rule that is dynamic to analyze the traffic and create a list that drops the SRC traffic from my internal network if there is more than 6 connections from my internal network to the same SRC IP. I’m guessing this list would be dynamically created and span a duration of 6-8 hours. I have a few ideas I’ve tried, but it just doesn’t seem to work like I’m thinking it should. Does anyone have something like this currently implemented and how did you accomplished it.
I don’t know what its transmitting but whatever it is it generates a lot of traffic.
Thanks for the assistance,
Ryo
