Gettng hammered from an outside IP on port 80.

derr12 · December 22, 2009, 11:23pm

today one of my Mikrotik routers started showing some really strange traffic. The cpu load went from around 15-20% normal to 50-100% at times.

The major traffic is showing up on Ethernet 1 as receive traffic. so i ran torch on eth1 (wan port) and im seeing a steady 2meg stream from 72.54.148.226, protocal UDP, source port 37162, destination port 80 to the interface IP on my mikrotik. the traffic stops there because it is not registering on eth2 (LAN)

i tried a firewall rule to block all traffic from that IP, but im still seeing all that traffic hitting the outside.

here is the rule i made.

add action=drop chain=input comment=“udp 37162 block” disabled=no
src-address=72.54.148.226

i tried just using the forward chain, but i didn’t see any statistics counting up when i did.

ive already tracked down the owner of that block of ip’s and e-mailed their abuse.

I also disabled the www. service for web access to the router, just in case… didn’t seem to help.

anyone have any suggestions?

fewi · December 23, 2009, 12:06am

Call your provider and ask them to block the traffic upstream.

normis · December 23, 2009, 7:13am

Even if you block the traffic, the router still receives it before it finds out it has to be blocked. Yes, try to ask your ISP. If it’s all coming from one IP, and your machine can take it, you could try to change the “drop” to “tarpit” and hope you kill the attacker’s machine

derr12 · December 23, 2009, 4:14pm

yeah, tarpit would be cool. it’s just a 450g model so i dont think it has enough power. either way, it’s gone this morning, so probably the mail i sent to abuse got looked at.

Chupaka · December 23, 2009, 10:14pm

tarpit shouldn’t use almost any resources - it simply sends ACK and forgets about connection

NAB · December 26, 2009, 10:14pm

Except that tarpit is only permitted for TCP traffic and so won’t work in this case.