I am somewhat new and not very experienced with MT. Over the past five days we have what seems to be DNS issues. Just about every web page I try to load takes too long to load or will not load at all. Doing tracert, ping plotter, and pings that show fine one hour and down the next, routes go all the way through to destination but then later there are problems half way through or right at the RB. There are many clients behind this router. I am trying to install a network flow analyzer but can’t stay connected long enough to the provider server to install.
What procedures should I be taking to find a cure or a process of elimination? Is there paid support for a MT technician to help with this immediately?
obviously this is a very simple chain and your exact configuration might require something slightly different but if you have a single WAN and want to allow full access to the router, but only from your inside network, this will fit the bill.
I will look into that and implement it. That makes sense. I just loaded a backup I had from almost two months ago and I am back up and running well. Clearly something happened over time. We have added a lot more clients since then. What happens to the queries that don’t get blocked or dropped?
And that’s what the ddos attacker is counting on - his zombie network sends you a small packet (dns question) that generates a large reply (usually they ask for something that returns a lot of A records, NS records, and/or CNAME records in a single reply).
Joking aside - what happens is that your Mikrotik will then send the same query to one of its configured DNS resolvers, and accept the reply from that resolver. It will then cache the information for whatever time is specified in the TTL, and lastly, it will respond to the original query. Of course, if the answer is in cache, it won’t ask the DNS resolver again, it will just send whatever is in the cache.
If you see lots of udp:53 traffic to a few IPs out there in the Internet, then you’re being used as a DNS-amplifier, and the public IPs with all of the traffic are the victims of the attack.
If you see lots of connections to the same port number on lots of different hosts - this is what P2P traffic usually looks like…
I am reviving this small thread because of the relation to the issue I have and I will be starting a new more appropriate thread thread for the cloud core router I am using. I just find it odd that I would experience the same issue.
Knowing the DNS issue of the 1100 and the crawls it does, I replaced the unit with a cloud core (for other reasons) and I received similar dragging to the point where the CPU was at 85-90% where nothing was getting through. I have to look at the possibility of an attack but first I will put the rule in to drop unwanted traffic. Are there any other steps I should take other than the information already given? How can I track this particular traffic to know what it is doing?
Also, Is it possible to restore a backup from the 1100 to the cloud core?
DNS crawls? There shouldn’t be anything special about the 1100 hardware that makes it “do things” that it shouldn’t where a CCR would not…
But you did state that there were other reasons for the upgrade…
You’ll need to export the configuration as a script from the command line (/export compact) and then edit this in a text editor to make sure the interfaces and other hardware-specific things are translated to the new platform, and then import the script on the CCR.
