Hello guys,
Strange behavior of non-existing customers makes me problems. Let me try to explain:
Let us consider a router with LAN interface ether2 and WAN - ether1. No additional interfaces that functioning at all. / tool torch shows that ip-addresses 200.121.241.221 and 118.160.20.234 make some (big) upload (for customer) traffic on my LAN interface. See [1] on attached picture. But I haven’t such addresses. They are somewhere behind our WAN interface.
Traffic can be reached only on our LAN interface as upload [2] and such traffic doesn’t exist on the WAN one [3].
This “alien behavior” makes conclusions on the network and worst QoS.
Hi there!
Thanks Chupaka for interest. And an answer.
Here are two screenshots with Port/Protocol marked. Nothing interesting can be observed on shots unfortunately.
Look that “aliens” (ip-addresses not ours) do big amount of traffic BUT ONLY UPLOAD. With zero download:
They can make more than 100% of all routers traffic:
Both pics shows zero packets download and big amount of traffic uploaded.
And at last, this traffic stops if disable of WAN iface is made!
yeah, i perfectly know that it’s better if find a solution, not scratching away. but can you help to "add firewall filter logging rule to see from what to what interface these packets go. then to block wrong flows ". this adresses we saw on the pics above cannot be matched at all. or (what is more true) i cannot do that
and see whether that rule counts the packets. then, change ‘passthrough’ to ‘log’ to see, from what interface the packet comes. then try ‘forward’ chain
btw, if we have queue rule that limits “all rest” traffic there no such traffic from such not our addresses. they not decreased, they stopped. pretty impressive, ah…
Are you 100% sure your ether2 interface is not the WAN? (I see so many different ´public´ address on your src list in torch that I would think it is a public interface you run torch on. I made such mistake in the past!)
If it is then such behaviour is more explanation-able.
No abuses, please… I DO can distinguish between WAN and LAN interfaces…
Yes, this makes me say “strange” when start this post.
Now we have no any “loops”, routing errors or any other stupid mistakes. This network acts perfectly MORE THAN 11 years! Router - 6 years with MikroTik. Ofcourse, it was modified several times these years…
At last I captured successfully what actually goes on. I catch the villain…
See the picture attached to this post.
Notes:
[1]. ether2 is our LAN interface. There is only one more active interface - ether1, that is WAN interface.
[2]. “evil-doer” (green colored) acts from our LAN interface - just like he is our customer. But this is not our ip-address.
[2]. every attacker’s packet comes from different MAC-address (red colored) - maybe it’s an algorithm that changes last two parts of the addresses (see red frames on the picture).
Please, HELP!
This attack decreases router’s performance dynamically and stops some services at all.
Maybe I need new concept for routers firewall, but I do not understand what actually goes on.
Surfertim’s suggestion suppresses the fever but doesn’t cure the disease.
I don’t know how the rest of your network set-up is, but you have to try to find the source. Probably by eliminating possible sources. So disconnect any user until you see this traffic stream die. You should now at least have found the source unit where it comes from. To me it looks like to be a trojan or virus generating traffic under pseudo IP and fake (random) mac. Or maybe a ´bot´ broadcasting to the world it is there (but nobody hears it!)
Probably a client of yours has an infected machine.
So try to find the source by eliminating each and any one by one until the culprit is found… that’s what I would do. (I am not saying this is the solution, it’s an suggestion.
Not possible to cure for me. I have about a hundred clients at a time, and they come and go. They buy time and expect service, whether or not their computer has a virus. The best I can hope to do is keep the ‘fever’ from doing a DoS on my routers. Not much of a cure, is it? But I was thinking the bridge on his setup may have a part in this. If it is looping back traffic, that could really cause some problems.
