Strange Re-Boot Problem

GJS · October 21, 2005, 8:51pm

I have MT 2.8.22 on RB232 with a public and a private interface, public connected to DSL modem, private connected to an 802.11b access point.

Earlier tonight I started getting huge latency and packet loss to hosts on the Internet and looking at the public interface stats it was running at a near constant 500kbs download and upload. The DSL is only capable of 256k upload. All customers on the private interface connect via static ARP and have simple queues controlling bandwidth. None of this was uploading more than about 50kbs.

Fortunately I have a redundant setup for the DSL and MT so I swapped the access point over. This is with a different provider, public IP address range etc. and with the MT running 2.8.28 After about 2 mins the same thing happened with a constant up/download of 500kbs. Then the Mikrotik rebooted itself. This happened twice about 15mins apart. I unplugged the access point and the traffic returned to normal. Plugged it back in and it returned to 500k up/down. Unplugged it again and now it’s been back to normal for about half an hour.

Any ideas what I’m seeing here? DoS attack, broadcast storm, virus, faulty AP? I find it particularly strange that the MT should re-boot.

Thanks.

sten · October 22, 2005, 12:41am

GJS:

I have MT 2.8.22 on RB232 with a public and a private interface, public connected to DSL modem, private connected to an 802.11b access point.

Earlier tonight I started getting huge latency and packet loss to hosts on the Internet and looking at the public interface stats it was running at a near constant 500kbs download and upload. The DSL is only capable of 256k upload. All customers on the private interface connect via static ARP and have simple queues controlling bandwidth. None of this was uploading more than about 50kbs.

Fortunately I have a redundant setup for the DSL and MT so I swapped the access point over. This is with a different provider, public IP address range etc. and with the MT running 2.8.28 After about 2 mins the same thing happened with a constant up/download of 500kbs. Then the Mikrotik rebooted itself. This happened twice about 15mins apart. I unplugged the access point and the traffic returned to normal. Plugged it back in and it returned to 500k up/down. Unplugged it again and now it’s been back to normal for about half an hour.

Any ideas what I’m seeing here? DoS attack, broadcast storm, virus, faulty AP? I find it particularly strange that the MT should re-boot.

Thanks.

You don’t say what kind of hardware and i never used that version of routeros you run but it could be watchdog or hardware heat monitor.
Occasionally i’ve seen alot of traffic but none of it going through the router because either firewall blocks or it’s a duplex mismatch on ethernet, the latter will produce alot of broken packets being retransmitted.
If you traceroute all the IP’s in your ranges, does any of them make a routing loop (you see it when packets the same two routers answers more than once)? In that case one would only need a steady stream and that would multply itself in the loop.

It’s better for a router to reboot than it locks up.

Since you do not make packet dumps available you could be seeing alot of interesting things as far as i know. Next time do packet dumps!

Oh and static-arp will create situations for users to DoS or sneak access on your network. Please, do not use that feature unless you have 100% filtering abilities on all nodes connected to that network. Even then it can cause lots of problems inadvertantly. Oh and it generates traffic for units that are offline. It does -not- prevent DoS from users. Use firewall and filter packets coming from your users instead.