So it looks like someone has gotten wise to Mikrotik’s having bandwidth-test enabled by default and pretty much every public IP-facing Mikrotik we have has logs looking like this now:
Upside: Getting more targeted attacks against Mikrotiks means they’re becoming just that much more mainstream!
Downside: Getting more targeted attacks.
I mean yeah, it’s our fault for not disabling or securing it from “default-to-on-and-open” in the first place. Anyway, this is an easy audit/fix for most people, just disable the bandwidth-test server where not needed, and firewall it otherwise.