We had a 10 minute period where the outside interface (1Gig) of our 1036 firewall was maxed out (download only) and no traffic was getting through to the other side. CPU spiked at 75%. Is this most likely a DDOS attack or are there other possibilities here? I haven’t talked to our provider yet to see if they were having some issue (they are not open for a couple more hours), but I’d like to get a jump on this.
Without any information no one can speculate. You would need some sort of netflow device to monitor.
Yea I get that. It only happened for 15 minutes so I don’t have a record of it. I’ve turned on logging but in the meantime I was casting about for any other possible causes of massive download that stops at the MT firewall at the head end of the network. In all the reading I’ve done today, it seems that short DDos bursts are common and a 1Gbps connection is quite small by today’s standards. Unfortunately, our upstream provider is understaffed and not helpful when it comes to DDos support. As good as our CCR performed under the load, the load still killed our connection to the Internet for a short time with 95% of the downstream bandwidth being used. I thought someone might be willing to speculate . It seems unusual that the traffic is first encountered and then stopped at the Mikrotik affecting only one interface; the one to our upstream provider.
Well more than likely it was a DDOS to your upstream ASN filtering down to you. There are various tools that can analyse realtime traffic that you can deploy.
Thanks. We use Wireshark and the tools included with RouterOS. We have DDos rules on our firewall and log those. Since nothing showed up in our logs though, the traffic must have been focused on the input chain, which we aren’t logging (too much stuff). Since this seemed to affect only our upstream interface on our main firewall I’m thinking there may be a way to capture IP addresses on the CCR without crushing the CPU. It might save one step for our provider who could then block those addresses.