Unauthorised access in our router

makg2 · August 1, 2015, 9:15am

Dear All,
We are getting huge no. of tcp & udp packet in our router from outside with multiple IPs which increase our uploading. can anyone suggest the solution to stop it.

Please find the torch report in attachment..

Regards,
Mak

marrold · August 1, 2015, 10:05am

It’s not very clear from your post what is being accesed, if anything

jarda · August 1, 2015, 10:45am

Someone in your network is browsing the Internet. What should be wrong with it?

makg2 · August 1, 2015, 11:34am

Hello,
these packets are not generating from internal network. all packets are comes from outside hosts.

docmarius · August 1, 2015, 1:54pm

If you base the statement of packet direction on the fact that the IP is listed under dst ip in the torch listing, this is not correct.
The src/dst should be read as remote/local (maybe it is time to correct this in winbox?).

makg2 · August 2, 2015, 6:37am

Hello,
plz find the attached file. eth3 our local network and eth 10 is wan link . you can see the tx and rx traffic differences in both interface.

When we torch eth 10 getting huge packet coming from outside network which affecting our router.

Mak..

jarda · August 2, 2015, 8:09am

There may be opened port redirections by upnp. Check it, close the redirections and drop the connections. Implement common firewall rules that will not allow incoming traffic if not requested from inside.

IntrusDave · August 2, 2015, 9:00am

Seems to me that you have a “NAS” (given by the interface comment) that is being accessed. Maybe you have a Torrent Client on the NAS? Maybe even a Plex server syncing to the cloud?

Do you have a decent set of filter rules? A blacklist?
In this post: http://forum.mikrotik.com/t/blacklist-filter-update-script/89817/1 I give a very nice set of firewall rules to help out.

makg2 · August 3, 2015, 7:54am

Can you provide sample firewall rule to Implement common firewall rules that will not allow incoming traffic if not requested from inside.

Regards
Mak

docmarius · August 3, 2015, 12:33pm

Input chain: drop all on the external interface.
Forward chain: On internal interface accept all, on external interface accept only established and related, and drop the rest.
If you use NAT, it has exactly the correct side effect on the forward chain due to connection tracking…

IntrusDave · August 4, 2015, 4:14am

My first post in this thread has a good set of firewall rules.
http://forum.mikrotik.com/t/blacklist-filter-update-script/89817/1