My ISP blocked me because of a lot of connections

Hello,
yesterday my ISP blocked my port automatically because of spoof. He told me my router sends about 600 connections per second.
How can I investigate what’s going on?

Have RB4011 with the latest ROS.
WAN1 = ISP
WAN2 = tplink switch (computer, unifi AP etc.)
WAN3 = dlink switch (playstation, tv, computer, laptop, unifi)

Tried to disable WAN2 and WAN3, internet still dropping.

Problem is websites not loading (connection timeout). If I open ie forum.mikrotik.com, it works. After some seconds it doesn’t work again for about 1 minute.
Ping works fine all the time.

Any help please what can I do?

Currently have ~200 connections in IP/Firewall/Connections

Sample steps …

1. Disconnect all devices except trusty computer and check router if it is not compromised and what’s going on with traffic.
2. Watch connections src and check what devices they come from
3. NetInstall router restore exported configuration … not binary one.
4. Check if you are or not open DNS amplifier (block port 53 from WAN side).
5. Be patient as it could take a lot of time to trace the problem.
6. Repeat procedure

Thank you.

1. I already tried to disable all ports and leave 1 porty only with my computer. Same result. Tried to disconnect my computer and connect another computer, same result.

2. in connections I see some src addresses of my computer and a lot of src address 192.168.1.250 (don’t know why).

3. will try it later today when I will be at home

4. port 53 is blocked

A look at your config might help as well:

/export file=anynameyoulike

Remove serial and any other private information, and post it between code tags by using the </> button

Hi
You should have a better look at the device with IP 192.168.1.250.
Could be something wrong with that device.