I think I’m being the victim of an attack because in the log I get what appears in the image and this causes me to block the computer.
I have managed to find out which sector is the problem but I do not know how to block this ip address. Can you help me?
I currently use a radius server to authenticate by PPPOE
Whats your Problem, of this User does not have valid usernane and Password, what should je do?
This Messages Are Not an real Attack,
Of the MaC Adresse change Every Time, this would
I Call an attack
If you do the PPPOE config on your SXT eg, this is an Mikrotik Device. Look at Mac, Look at AP Registration Table dir this Mac
Hi, what can I do? I created rules in the bridge to block the mac. Because when it takes 5 minutes maximum blocks the router and restarts and so continuously.
How can I avoid it …?
Put WPA2-EAP authentication on your WiFi with the same user/pass as used on PPPoE (to reduce user confusion).
So the user first connects to your WIFi using their credentials, then once successful they establish the PPPoE with those same credentials.
This solves the problems caused by having open WiFi.
I do not have the wifi open, I have security wpa2, and once it connects to the network with the credentials the pppoe dial is made
You will have to analyze the situation and find what is going wrong.
And then adjust something in your network so it cannot happen anymore.
It is not possible to give you advise because you provide so little information.
What more data do you need? Ask them and I will be happy to facilitate them?
It is nearly impossible to do such analysis via a forum.
You know your own network, you know what is happening, and you post a screenshot saying there is an attack.
Could be, but for all purposes it could just be a paying customer with a problematic connection.
You will have to research those things yourself.
The very first thing I’d do would be to set the pado-delay parameter of /interface pppoe-server server to something like 2000 (I believe it’s milliseconds). If the client implementation is not crazy, this should make it re-send the PADI less frequently than six times a second. It won’t neccessarily make it wait all those 2 seconds, it may not be that patient, but it’s worth trying anyway.
Regardless whether the above helps or not, I’d check whether the requests coming from that MAC bear a valid username and password. This should be better visible in the log of the RADIUS server than in the Mikrotik’s one, but activating the debug using /system logging add topics=pppoe may be sufficient to see something useful in Mikrotik’s log.
Even if delaying PADO doesn’t help, the CPU load comes from the complete handling of the PPPoE incoming connection; just dropping six frames per second using a single rule in /interface bridge filter is nothing that should make your CPU sweat. So while you are not analysing the behaviour, that rule should prevent the reboots from happening.
Thank you very much, I have been very helpful, I’m going to put on all the challenged to 2000ms and with that I have already lowered the CPU a lot, I have also found the attacker, it seems a firmware problmea of a sxt lite AC 5
Again, Thank you very much for your help
Might not be your case, but many users are having problems with pppoe-client looping.
Who knows, it might be the same in your case, a stuck in a loop mikrotik router trying to connect to your pppoe server.
See: http://forum.mikrotik.com/t/frequent-pppoe-terminations/108212/1 for example.