Too many "connections" under firewall?

bphillip2 · January 13, 2015, 4:25am

Hello. I have an rb2011uias-2hnd-in running 6.24.

I have been having problems with slow upload, typically 0.6 of 1.8 meg, so I started looking for the source of the problem. The slow speeds seem like they started when I tried to install this http://forum.mikrotik.com/t/tool-realtime-per-ip-traffic-monitor-for-home-office/70028/1 That opened an SSH port and a flood of login attempts started. I changed from the default port and they stopped, perhaps that is why I never got it to work? Later I turned off all the service ports like ftp, ssh etc.

My concern is that at times I see up to 850 “connections” under the firewall, other times as low as 70. Why would there be a hundred connections via udp to one IP? Most show the remote IP as Src and my static IP as Dst. The connections also show port 53 next to my IP.

I tried http://forum.mikrotik.com/t/how-to-block-a-dns-request-from-the-outside-world/63404/1 but it did not seem to help and the first two rules show no activty.

Bryan

TrollMan · January 13, 2015, 8:52am

Sounds like you need to check your FW rules, most likely your running as an open dns and then part of a dns amplification attack

bphillip2 · January 13, 2015, 3:29pm

I am very new to all of this, but I have the basic rules in place that you get with default setup. I would show them but I’m not sure how to copy them from the router except manually. I added these two with no effect (0 bytes processed). The number of connections was unchanged.
add action=drop chain=input dst-port=53 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1-gateway protocol=udp