My Router was Hacked? -- Weird stuff

For starters, I’m not an IT expert. Kind of a low level guy that works in a small business that handles the networking and whatnot since nobody else has a clue. The MikroTik has been great, but I’ve been “learning as I go” and much of this is way over my head.

Anyways, a few months ago I was getting complaints that the internet was slow. Checked a few things, replaced some APs with newer stuff, and figured all was well. A month later, some of my APs got randomly bricked. No clue what happened, figured it was a power surge or something. Replaced and went on my way.

More complaints about slow speeds. I check it out and the data usage has gone crazy, 250gb within about 20 days. I figure that someone has breached the network and is torrenting. I seriously lock down the network, change all passwords, and setup an extensive firewall.

A few weeks go by and there’s more complaints. I check the data usage, and now it’s close to 550gb in a month. On the ethernet gateway, a constant 8-10mbps is being recorded on the TX. RX is around a constant 400kbps. The TX was so jammed that a speed test wouldn’t even work on the upload portion. I checked all my APs to see how much data they’re moving – normal levels. Checked local machines, normal data moving. I then checked all the connected clients to see how much data they were using, again, all is normal. I then disconnected everything from the router besides the modem – no change. I also manually booted connected IPs one by one while watching the TX. Finally, I used the “torch” option on the ethernet gateway and sorted by TX usage. Yeahhhh… tons of external connections. My network was being used as some sort of VPN, maybe?

I called the ISP to make sure this was real data being used and not some sort of malfunction or misinformation. He informed me that we were now close to 1tb of usage.

I reset the router to factory defaults with only the router connected to the modem. Immediately my TX “leak” reappeared. Frustrated, I ran to walmart and got some bs netgear router. Hooked that up, zero problems with random TX at high speeds. I setup a traffic meter on the new netgear box and within the past few hours, I haven’t seen any weird traffic.

Here’s a picture from the torch screen. I would have normally done a screen shot, but this was for texting to a buddy that’s actually knows what he’s doing (he was lost as well). The MikroTik is now sitting on my desk not connected to anything. Is there a way to see if this thing has been infected and by what?

The symptoms you described are usually related to DNS amplification attacks, which happen if you don’t firewall the routerboard DNS server (UDP 53 on your WAN) from Internet.

This is a DDoS attack, in which your router DNS server receives DNS requests wiith spoofed source addresses, so the router “thinks” it’s answering a client request (the victim) when it is really being used on a big network of coordinated DDoS attack overwhelming the victim(s) with unsolicited UDP DNS responses.

Yeahhhh… tons of external connections. My network was being used as some sort of VPN, maybe?

Did you check which kind of traffic (protocol, source and destination ports)? This is important.

To confirm this, you can resort to either torching the WAN interface, or look at IP > Firewall > Connections, filter by UDP and sort by Reply rate.

Another possibility could be the proxy, if you don’t firewall it. That’s why knowing the protocol and ports is so relevant to determine the cause.

Which RouterOS version was being used?

Looks like DNS from his screenshot.

Could you give us some details on your DNS and IP Firewall Filter configs?

It does indeed like a DNS Amplification Attack.

It would most certainly help if you closed down your incoming DNS ports on the WAN interfaces.

with 53 udp opened

The fast answer is disable “allow remote requests” in DNS

that doesnt work, allow remote requests will simply make it impossible for your own network clients to use the DNS on your router. Best way to solve it is to drop input onto port 53 (both tcp and udp) on your WAN interfaces.

Again and again… Make default drop rule in input chain and put your exclusions before. Closing just one port leaving all others opened is not a good approach even in this case it is effective the same.