Unwanted / unclaimed high WAN traffic

AndreiPH · March 6, 2017, 5:29pm

Hello guys,

I have unusual high traffic on my WAN interface. Please assist me to block this, I’m new to firewall rules for Mikrotik.

Any advise on how to solve and prevent this problem in the future is highly appreciated.

Thanks in advance.

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes in-interface="ether1 - wan"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface="ether1 - wan"
add action=drop chain=virus comment=Worm protocol=udp src-port=4444
add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface="ether1 - wan"
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

soonwai · March 6, 2017, 5:34pm

Looks like your RB is being used in a DNS amplification attack.

Ensure that you have an input-chain-drop-filter for your WAN interface.
Or at least drop UDP port 53 from WAN. That should stop the activity immediately. Like this:
/ip filter firewall add action=drop chain=input dst-port=53 in-interface=“ether1 - wan” protocol=udp

I see this rule in your firewall disabled, best to enable it and accept ports to input chain only as needed.
add action=drop chain=input comment=“defconf: drop all from WAN” disabled=yes in-interface=“ether1 - wan”

AndreiPH · March 6, 2017, 6:18pm

I had the rule enabled, but with it active, the dns is not resolved over pptp…

jarda · March 10, 2017, 10:44am

Badly implemented firewall rules… You should drop new connections on wan port in forward and input chains generally. At least.