hacked?

antonymayi · August 20, 2013, 11:19am

Hi,

my router started today saturating my DSL line. I am using it as wireless router for my home so everything apart from the uplink is wireless. In the interface stats I can see ether1 TX ~5Mbps but wlan1 traffic is negligible so it must originate from the router itself. I did capture of the traffic (pcap attached - 1.1.1.23 is my end (public but obfuscated)) and it seems to be all going to 186.2.162.3 (and others in that /24 block). The router has obviously public IP. SSH is enabled on the public interface but using bruteforce login prevention (based on miktorik wiki).

I am running ROS 6.2 on 2011UAS-2HnD.

Any thoughts? Where should I look?

Thanks,
Antony.
hacked.pcap.zip (32.8 KB)

antonymayi · August 20, 2013, 11:36am

After second look at the pcap I guess it is DNS amplification attack - my router seems to be responding as open recursive dns…

AlArenal · August 20, 2013, 1:01pm

Just add two firewall rules to drop wan packets to your routerboard on port 53 tcp and udp.

yebo · November 5, 2013, 12:02am

I just had the same problem.. unchecked to allow external requests and added the rules..