Mikrotik uploading massive amount of data without any computer attached

OK bit of info first
I have a Static IP address from my ISP (WISP routed network)
Router is Mikrotik RB2011uias running 6.30.2 firmware
DHCP Client on ether 10
DHCP client on ether 8 as secondary internet connection (if primary fails i hookup a backup connection to ether 8 but usually nothing connected)
ether 1-3 on bridge for internal network

Ok now to whats happening.
I have noticed a slowdown in my internet lately and decided to poke around and see which one of my kids is Netflix-ing while im trying to work I notice that my outbound connection on the router (ether 10) is TX at 15Mbps almost constant. I fire up “The Dude” (which i started mapping my internal network out but never finished) and saw the same thing on the outbound of 15Mbps for days constant.

Ok rogue computer on the network? NOPE I have good wifi password policy (wife hates it)
Virus? Nope mostly Macs and only my managed PC on the network but to be certain i will UNHOOK the ether cables from my switch one by one till i find that bastard!
Last cable unhooked and still uploading, I went as far as unhooking EVERYTHING from EVERY port except ether10 (my dhcp client) so there is NOTHING else hooked up, no wifi, no switch, nothing but the cable from the internet. STILL UPLOADING 15Mbps

How do i know if nothing is hooked up? went to wisp and they of course log data via “The Dude” so i could see the data screaming out of my router @ 15Mbps. I unplug from ether10 and the data stops
plug into ether8 (my backup internet port) and its normal (just whatever data i use) I have lost my static IP (Static IP was routed to the DHCP that was given to ether10 and ether8 got a different DHCP address)

So my question is how or why is my router UPLOADING at such a rate? (Yes my router has a GOOD password) The log shows only about 5 login failures for the last 24hrs and i’m running only 1 script, a ssh blacklist that has about 50 ip addresses. Where to go from here?

Help please i want my ip address back

Sounds like a DNS amplification attack is being ran off your router. Is TCP/UDP port 53 open to the outside world? Sounds like you need to reevaluate your firewall rules.

Guess i should have went to GRC Shields up to check this out first. port 53 showed open

Thanks bds1904, That was exactually it! I checked the firewall and i did NOT have it open to anything but for an unknown reason under system>DNS>allow-remote-requests: yes…GGGRRRRRRR
Change to.. allow-remote-requests: no

Problem solved. Thanks for the help.

Even if allow-remote-requests: no solved your problem you should secure your router by simple firewall rules:

1. Allow what you need (established, related, your LAN, pings)
2. Block everything else (this will also drop external DNS requests on port 53)

Example rules:

add chain=input comment="Accept established & related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add chain=input comment="Accept all from LAN" src-address=YourLAN (e.g. 10.0.0.0/24)
add chain=input comment="Accept limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop everything else" disabled=yes

If you try these rules please enable the last rule only when you know that your LAN addresses are correctly configured in 3rd rule!
Otherwise you will be disconnected from administration

Here is my general firewall I use, edit address and interfaces as needed of course:

/ip firewall address-list add address=xxx.xxx.xxx.xxx/xx disabled=no list=support
/ip firewall address-list

add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it"\
disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" disabled=no list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it"\
disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it"\
disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it"\
disabled=yes list=bogons
/ip firewall filter

add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \
comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\
disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=input\
comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\
disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\
connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept to established connections" connection-state=established\
disabled=no
add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no
add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\
disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp
/ipv6 firewall filter
add action=accept chain=input comment="Allow established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow related connections" connection-state=related disabled=no
add action=accept chain=input comment="Allow limited ICMP" disabled=no limit=50/5s,5 protocol=icmpv6
add action=accept chain=input comment="Allow UDP" disabled=no protocol=udp
add action=drop chain=input comment="" disabled=no
add action=accept chain=forward comment="Allow any to internet" disabled=no out-interface=sit1
add action=accept chain=forward comment="Allow established connections" connection-state=established disabled=no
add action=accept chain=forward comment="Allow related connections" connection-state=related disabled=no
add action=drop chain=forward comment="" disabled=no

It helps detect & block port scans and a few other fun tricks too.

Thanks I have same problem ! Solved

Your fw rules are crap and dont really do much."
You would be far better off and safer with the default rules.

The reason why your firewall rules didnt protect you from DNS exposure, it was not your DNS rules… it was the lack of basic firewall protection.

For example this is disabled.
add action=drop chain=input comment=“Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED”
disabled=yes

Therefore anything you didnt block at the input chain would be allowed to access the router.
However, you shouldnt enable this rule until you actually construct a firewall address list that would be used in this rule…

add action=drop chain=input
comment=“Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST”
disabled=yes dst-port=8291 protocol=tcp src-address-list=!support

The above is also disabled but I wouldnt touch this rule because you will block far more than you desire if enabled.

Summary: You have no clue what the rules are doing. Get rid of all the garbage and reinstate the default firewall rules and then build slowly things that actually work.