I have MIKROTIK CCR1036-8G-2S+ router with 1600 approx PPPOE connections online. sometimes few users are sending high uploads to router beyond their allotted limit they sending even 50 mbps uploads even when max 5 mbps upload speed is allotted to them) causing CPU to go over 90% affecting the internet speed to all the users. What can be the reason behind this?
Screenshot attached for example purpose.
User has maximum limit of 5 mbps only
And the ports are 53? Most probably dns amplification attack like always… Correct your and their firewalls…
Hi,
let me hijack your thread a little bit 
!
I head similar situation UDP conection on port 9001 from user pppoe interface was kiling my backhaul link, I solve it with firewall!
But I am still wondering how come it was generated from pppoe interface on core router ( host has local IP ) and how come it was baypasing pppoe quene rule?
If the UDP packets are coming from the internet, going out to the pppoe client, it’s because UDP is connectionless and there is no good way of slowing down the incoming. It can come in at the full WAN rate, the queue can only throttle what it passes on to the client.
yes I said it wrong, conection was opened from client but UDP packect then was coming from internet, I was confused because traffic didnt pass to the AP and to the client , but when I think of it now it probably was but at max 5mbit !
Not sure what you can do about that. What port is the traffic coming in on?
Given that it’s only one IP, i would guess it’s not a DNS amplification.