Investigating Abnormal Traffic Consumption in a MikroTik PPPoE WISP Network

RouterOS General
1

Hello everyone.

I am troubleshooting a strange issue on a MikroTik RB750Gr3 (RouterOS 6.48.6) running a PPPoE WISP network.

Some time ago, an unusual and abnormally high traffic/usage pattern started appearing, apparently related to one or a few specific clients.

This behavior did not exist before, and now it generates traffic patterns that are difficult to explain.

What makes this confusing is that I have already tested multiple scenarios:

  • Different network layouts

  • Network isolation using VLANs

  • Monitoring with Torch

  • Packet captures (tcpdump / Wireshark)

  • MAC/IP observation and traffic correlation

However, I still cannot find a clear protocol, destination, or traffic pattern explaining the behavior.

In captures, some devices show more activity than others, plus expected multicast/broadcast traffic, but nothing that clearly identifies the source of the abnormal usage.

Environment:

  • MikroTik RB750Gr3

  • RouterOS 6.48.6

  • PPPoE clients

  • WISP environment

  • Some client environments include routers, TVs, streaming devices, etc.

At this point I am trying to determine whether this could realistically be caused by:

  1. Client-generated abnormal traffic
    (Smart TV, Android TV, router, internal LAN device, IPTV/streaming app, malware, cloud sync, misbehaving application, etc.)

  2. Physical / external hardware issue
    (Bad switch, damaged Ethernet cable, faulty port, defective PoE injector/power supply, negotiation problem, Layer-2 loop, broadcast storm, etc.)

  3. Specific MikroTik / PPPoE behavior
    Something that may only appear under certain traffic conditions or with particular devices.

An additional challenge is that packet captures do not show an obvious smoking gun explaining the amount of traffic observed.

Has anyone experienced something similar in a PPPoE/WISP environment?

What would you investigate next to distinguish between:

  • client/application behavior

  • Layer-2 physical problems

  • MikroTik/PPPoE related causes

Any ideas or similar experiences would be appreciated.

image
image1364×3612 1.45 MB

2

What the real probem is? Are you trying to find what device at their locations generate so much traffic?

Too much traffic? Isn't enough to just limit their bandwidth? Unusal time when it appears?
Do they have access to routers?

3

I already identified the source: a specific client TV/device.

If I block that TV, the abnormal behavior disappears. However, that is not a viable solution, since the customer needs to use it.

What I want to determine is why this traffic exists and how to prevent it properly.

I'm trying to know whether this could be caused by something like:

bad cable / faulty switch / PoE issue / Layer-2 problem

client device or app behavior

MikroTik / PPPoE related behavior

Another important detail: in some cases this traffic pushes my RB750Gr3 CPU up to ~85%.

Clients have always been bandwidth-limited, but this traffic does not seem to go through Simple Queues. I mainly see it at the interface level, which makes it more confusing.

4

If source is known then maybe it's time to ask on TV producer forum?
For me it has some backdors/apps installed that communicate to the outside world but it could be proactive fetchin some data for streaming ... who knows.

If the traffic goes to WAN then router decided that it has to be send outside so there should be traceable addresses to check whom they belengs to. If it is just pure L2 traffic, then the question is why the router sends it outside?

EDIT:

There are ROS 6.34 & 6.39 installed on these devices ... so old version with some security holes that were fixed years later.