Huge log file

RouterOS General
1

Hello,

I started to log packets and in my log file I found thousand lines like these:

dns,packet pack: <iorr.ru:A:27894=123.123.123.156> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.179> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.27> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.57> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.145> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.185> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.150> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.215> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.24> 2014-04-22 13:52
dns,packet pack: <iorr.ru:NS:27894=ns1.reg.ru> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.8> 2014-04-22 13:52
dns,packet pack: <iorr.ru:NS:27894=ns2.reg.ru> 2014-04-22 13:52
dns,packet pack: authority: 2014-04-22 13:52
dns,packet pack: <iorr.ru:NS:27894=ns1.reg.ru> 2014-04-22 13:52
dns,packet pack: <iorr.ru:NS:27894=ns2.reg.ru> 2014-04-22 13:52
dns,packet pack: --- got query from 91.109.3.170:5153: 2014-04-22 13:52
dns,packet pack: id:f064 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2014-04-22 13:52
dns,packet pack: question: iorr.ru:ALL:IN 2014-04-22 13:52
dns,packet pack: additional: 2014-04-22 13:52
dns,packet pack: <:UNKNOWN (41):0=rawbytes:0> 2014-04-22 13:52
dns,packet pack: --- sending reply to 91.109.3.170:5153: 2014-04-22 13:52
dns,packet pack: id:f064 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'no error' 2014-04-22 13:52
dns,packet pack: question: iorr.ru:ALL:IN 2014-04-22 13:52
dns,packet pack: answer: 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.154> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.84> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.75> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.217> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.101> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.91> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.220> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.12> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.155> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.129> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.67> 2014-04-22 13:52
dns,packet pack: <iorr.ru:SOA:27894=serial:1398061729 refresh:14400 retry:3600 expire:604800 min:43200 > 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.236> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.77> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.43> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.182> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.235> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.131> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.139> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.96> 2014-04-22 13:52
...
dns,packet pack: <iorr.ru:A:27110=123.123.123.117> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.146> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.19> 2014-04-22 14:05
dns,packet pack: <iorr.ru:NS:27110=ns2.reg.ru> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.9> 2014-04-22 14:05
dns,packet pack: <iorr.ru:NS:27110=ns1.reg.ru> 2014-04-22 14:05
dns,packet pack: authority: 2014-04-22 14:05
dns,packet pack: <iorr.ru:NS:27110=ns2.reg.ru> 2014-04-22 14:05
dns,packet pack: <iorr.ru:NS:27110=ns1.reg.ru> 2014-04-22 14:05
dns,packet pack: --- got query from 80.5.24.20:77: 2014-04-22 14:05
dns,packet pack: id:7938 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2014-04-22 14:05
dns,packet pack: question: iorr.ru:ALL:IN 2014-04-22 14:05
dns,packet pack: additional: 2014-04-22 14:05
dns,packet pack: <:UNKNOWN (41):0=rawbytes:0> 2014-04-22 14:05
dns,packet pack: --- sending reply to 80.5.24.20:77: 2014-04-22 14:05
dns,packet pack: id:7938 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'no error' 2014-04-22 14:05
dns,packet pack: question: iorr.ru:ALL:IN 2014-04-22 14:05
dns,packet pack: answer: 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.97> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.55> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.46> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.30> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.187> 2014-04-22 14:05

What it means? Can affect the router performances or security? What actions should I take?
Thank you in advance for your support.

Ioan

2

I started to log packets

This explains it. Why did you start to log packets then?

3

Your answer didn’t helped because you read only the subject line, not till the end of my post… so I’ll rephrase the question and I’ll modify the subject to be more accurate:
The problem isn’t the log file size but: is it normal to be so many records / second coming from a single IP class - only from iorr.ru? What it means? Can affect the router performances or security? What actions should I take?
Thank you.

4

Is the DNS server at your router accessible from the WAN? looks a bit like someone tries to abuse it for a DNS Amplification Attack.

5

Hi
add a rule to firewall and drop ip range of=> 123.123.123.0/24
I think, it isn’t normal.

6

It’s a DDoS, so removing the original IP address will not be enough, you have to tag the string with something constant and in iptables drop it.

TS