Unknown Upload!

mhmd · July 26, 2016, 6:11am

Hello Networkers ,

I have public IP address on WAN port and hotspot server on LAN ports (RB2011UiAS) , the problem is that some times I can see the WAN port is passing large amounts of traffic (just upload) even if I disabled all the interfaces (except WAN ) on the RB !!!
anyone have an explanation to this case ?

cutedrummerboy · July 26, 2016, 6:44am

block all port in input chain except what you want to available at wan side. maybe dns or ntp is causing this or some kind of multicast or broadcast flooding.

my provider’s wan is a citywide /24 and i often face some arp flood near about 8 or 9 mbps for 1 or 2 hour. after some investigation i found that was caused by a ip address duplication by some moron. he was using same ip in 2 different network card.

paulct · July 26, 2016, 9:11am

Perform a torch with port and protocol selected as well.

InoX · July 26, 2016, 9:33am

Drop port 53

onnoossendrijver · July 26, 2016, 10:39am

This looks like a DNS amplification attack.
Drop port 53 just like InoX above me suggests.

mhmd · July 26, 2016, 11:32am

I suspect that DNS is causing this too , but how is the hotspot going to work without DNS ?

ip dns print
servers: 8.8.8.8
dynamic-servers:
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 1896KiB

normis · July 26, 2016, 11:34am

You don’t need DNS on the public interface! Make a firewall rule that drops DNS from unknown networks or interfaces where there are no hotspot users.

ZeroByte · July 26, 2016, 2:00pm

Make sure that your INPUT chain rule dropping DNS comes AFTER the rule which accepts connection-state=established,related
This way, your router will still get replies for DNS requests that it made for itself (or for the users) but nobody will be allowed to ask it a new question from the WAN side.

amjadayub · February 18, 2019, 5:49am

It’s DDoS Attacks, I have also faced this issue on my 2 different Mikrotik Routers.
Following Changes solved this problem at my end.

Disable DNS if not required.
If DNS – Allow remote request is enabled, make sure appropriate filter rule is set to prevent incoming DNS attacks.

add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input dst-port=53 protocol=tcp

Disable SSH, Telnet access if not required.
Change HTTP port to some other port other than port 80.

For more details you can visit following website.
http://srijit.com/how-to-protect-your-mikrotik-router-from-ddos-attacks/