Huge Attack is coming from internet

laxmimikrotik · June 13, 2017, 12:24pm

Dear All ,

I have a Linux server in my network and sometimes i am getting the huge upload traffic in my mikrotik router .
and also some times the bandwidth is reaching on 720mbps but my wan bandwidth is 50 mbps .

And when I torch the interface i am seeing some ip from the internet they are sending huge traffic and the IP’s are changed after some times .

Please suggest me how to make it stop ..

normis · June 13, 2017, 12:28pm

use firewall to block this.

Your router should not have open ports on the internet side, so this would never happen. Follow the guide here:
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

laxmimikrotik · June 13, 2017, 12:32pm

Sir I have Blocked everything and I am getting the request on port number 80 . and also those IP’s are
getting changed after few minutes .

AlainCasault · June 13, 2017, 12:34pm

Hello

Just to be sure, by Upload, you mean from linux server going outside?

The first step is identifying the traffic. Is there a pattern? If so, filtering will be much easier.

You should also disable services you don’t require (ip - services) or block then from inputting through the wan. Beware! Don’t block replies (established and related).

Try posting more information about the attack if you can.

Good luck!

Sent from Tapatalk

normis · June 13, 2017, 12:35pm

So if it is blocked, what is the problem?

laxmimikrotik · June 13, 2017, 12:41pm

I have a linux machine which is connected from my mikrotik port number 2 and my wan bandwidth is
50mbps but sometimes the bandwidth utilisation is 720mbps but while i am checking the bandwidth in my network
in that case my mikrotik’s 2 no port RX traffic is showing 720mbps and My wan TX traffic is showing 720mbps .

And also in the same time when i torch the interface to check the source and destination , In that case The souce IP
address is showing my Linux machine IP and destination IP is showing some IP from the internet with port no 80 and some times 6000
and the destination IP’s are not constant and it’s getting changed after some times and also ports .

laxmimikrotik · June 13, 2017, 12:49pm

Now i am getting the traffic on port number 18424 and the bandwidth is showing to me 900 mbps.

normis · June 13, 2017, 1:14pm

If you would actually have firewall, you would not get this traffic on port XXX. Please follow the guide I linked to above.

ZeroByte · June 13, 2017, 1:18pm

If the Linux host is originating the traffic, then you should concentrate on finding out what is wrong with that server. It sounds like it’s been hacked.

AlainCasault · June 13, 2017, 3:36pm

At any rate, ISP link=50Mbps contractual, actual rate close to 1Gbps???

I wish I had your ISP

Sent from Tapatalk

jarda · June 13, 2017, 3:37pm

The traffic most probably ends in a blackhole at next hop…