So 100% load cpu with 65% networking.
i think someone ddos me.
I think they smth download form my server(because in interface sfp 1 tx 400 kbit, but rx much hier (about 5 mbts,im not sure i forgot)), i dont know how block download (and not sure i need block this or idk)
some screen
which ports is the traffic going to?
Also notice that you have a similar return traffic as well?
open dns server or some other traffic bounce?
What is your firewall config (/export hide-sensitive)?
Thanks for attention
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge
ssid=kpst18630
set [ find default-name=wlan2 ] ssid=kpst18630 wireless-protocol=802.11
/interface list
add name=internet
add name=Local
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=“”
mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=sfp1 list=internet
add interface=ether1 list=Local
add interface=ether2 list=Local
add interface=ether3 list=Local
add interface=ether4 list=Local
add interface=ether5 list=Local
add interface=wlan1 list=Local
add interface=wlan2 list=Local
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip arp
add address=192.168.88.253 interface=bridge1 mac-address=18:31:BF:BD:2E:7E
add address=192.168.88.254 interface=bridge1 mac-address=18:31:BF:DF:8C:C2
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.88.0/24 list=“Protect DDOS attack”
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=add-src-to-address-list address-list=“Protect DDOS attack”
address-list-timeout=1d chain=input connection-limit=100,32
in-interface-list=all protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp
src-address-list=“Protect DDOS attack”
add action=jump chain=forward connection-state=new jump-target=SYN-Protect
protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=internet
jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=50,5:packet
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=
syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=10000
in-interface=sfp1 protocol=tcp to-addresses=192.168.88.253 to-ports=10000
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=80
in-interface=sfp1 protocol=tcp to-addresses=192.168.88.253 to-ports=80
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=34197
in-interface=sfp1 protocol=udp to-addresses=192.168.88.254 to-ports=34197
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=34198
in-interface=sfp1 protocol=tcp to-addresses=192.168.88.252 to-ports=34198
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=8303
in-interface=sfp1 protocol=udp to-addresses=192.168.88.252 to-ports=8303
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=4000
in-interface=sfp1 protocol=tcp to-addresses=192.168.88.252 to-ports=4000
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=8304
in-interface=sfp1 protocol=udp to-addresses=192.168.88.254 to-ports=8304
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=1000-8302
in-interface=sfp1 protocol=tcp to-addresses=192.168.88.253 to-ports=
1000-8302
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=10999-16000
in-interface=sfp1 protocol=tcp to-addresses=192.168.88.253 to-ports=
10999-16000
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=9014
in-interface=sfp1 protocol=tcp to-addresses=192.168.88.246 to-ports=9014
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=2106
in-interface=sfp1 protocol=tcp to-addresses=192.168.88.246 to-ports=2106
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=7777
in-interface=sfp1 protocol=udp to-addresses=192.168.88.246 to-ports=7777
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=80 protocol=
tcp src-address=192.168.88.0/24 to-addresses=192.168.88.253 to-ports=80
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=10999-16000
protocol=tcp src-address=192.168.88.0/24 to-addresses=192.168.88.253
to-ports=10999-16000
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=1000-8302
protocol=tcp src-address=192.168.88.0/24 to-addresses=192.168.88.253
to-ports=1000-8302
add action=masquerade chain=srcnat dst-address=192.168.88.253 dst-port=80
protocol=tcp src-address=192.168.88.0/24 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.88.253 dst-port=
1000-8302 protocol=tcp src-address=192.168.88.0/24 to-ports=1000-8302
add action=masquerade chain=srcnat dst-address=192.168.88.253 dst-port=
10999-16000 protocol=tcp src-address=192.168.88.0/24 to-ports=10999-16000
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Krasnoyarsk
Can someone help in skype my login on screen
I cant use my innternet cus this “bad feels”
In torch which ports is the traffic going to?
Observations:
/ip dns
set allow-remote-requests=yes
= you’re probably bombarded by dns requests, and being used for DDOS attacks, using DNS amplification attack
why don’t you just stick to default firewall, it’s more that enough in this case…
Bellow is just an optimisation
# From example
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=10000 in-interface=sfp1 protocol=tcp to-addresses=192.168.88.253 to-ports=10000
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=192.168.88.253 to-ports=80
# TO example
add action=dst-nat chain=dstnat dst-address=MyIp dst-port=10000,80 in-interface=sfp1 protocol=tcp to-addresses=192.168.88.253
# From
add action=masquerade chain=srcnat dst-address=192.168.88.253 dst-port=80 protocol=tcp src-address=192.168.88.0/24 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.88.253 dst-port=1000-8302 protocol=tcp src-address=192.168.88.0/24 to-ports=1000-8302
add action=masquerade chain=srcnat dst-address=192.168.88.253 dst-port=10999-16000 protocol=tcp src-address=192.168.88.0/24 to-ports=10999-16000
# To
add action=src-nat chain=srcnat dst-address=192.168.88.253 dst-port=80,1000-8302,10999-16000 protocol=tcp src-address=192.168.88.0/24 to-address=<ip router?192.168.88.1>
Did it, but yesterday again ddosed.
Can i see which port they ddos(but i not sure it is help if i close port)?
did what? the above is NOT an instruction what to do
The instruction was: “why don’t you just stick to default firewall, it’s more that enough in this case…”
Cus default doesnt help, and i try other ways.
Cus default doesnt help, and i try other ways.
Some one have any tips how to fix that?