Why is my Mikrotik is generating outgoing traffic?

Uqbar · October 28, 2015, 6:42pm

All of a sudden I am experiencing the strange behaviour I can show with one screenshot.
The eth1 (wan1) is sending about 2 Mbps of traffic, while the overall traffic from the other interfaces is actually negligible.
The only services available are webfig, api and www only available from inside.
I have disabled all NAT, all IPSec and so on.
This machine is replaicing an older (and diferent) firewall with "more or less"™ the same semantics.
Any hint on how to troubleshoot this? How can I see what is generating all this traffic (apparently) from inside the router?

kiler129 · October 28, 2015, 7:33pm

Do you have SSH on port 22 accessible from WAN? Show us a firewall rules & services running.
Also it can be wireless interface traffic.

chechito · October 28, 2015, 8:03pm

possible amplification attack

check incoming dns,ntp,telnet and ssh connections (to the router)

Uqbar · October 28, 2015, 8:45pm

My device has no wireless interface, as you can see from screenshot.
My network is not a trivial one.
LAN (10.16.16.x) connects to 10.72.5.0/24 and a gateway (10.73.1.3) connects to 10.72.3.0/24.

[admin@NA1] /ip firewall> export
# oct/28/2015 21:38:50 by RouterOS 6.32.3
# software id = XXXX-XXXX
#
/ip firewall address-list
add address=A.B.C.196 comment=local disabled=yes list=remote_access
add address=X.Y.Z.114 disabled=yes list=remote_access
add address=10.72.1.0/24 list=remote_access
add address=10.72.5.0/24 list=remote_access
add address=10.16.16.1 list=remote_access
add address=10.16.16.5 list=remote_access
/ip firewall filter
add chain=forward dst-address=10.72.3.0/24 src-address=10.72.5.0/24
add chain=forward dst-address=10.72.5.0/24 src-address=10.72.3.0/24
/ip firewall nat
add chain=srcnat comment="Traffico Passante SA1<-->TFGG" dst-address=10.72.8.0/24 src-address=10.72.1.0/24
add action=dst-nat chain=dstnat comment="Traffico IN server NA1" dst-address=A.B.C.195 to-addresses=10.72.1.2
add action=src-nat chain=srcnat comment="Traffico OUT server NA1" dst-address=!10.0.0.0/8 src-address=10.72.1.2 to-addresses=\
    A.B.C.195
add action=src-nat chain=srcnat comment="Traffico OUT x utenti LAN1" disabled=yes dst-address=!10.0.0.0/8 src-address=10.72.1.0/24 \
    to-addresses=A.B.C.197
add action=masquerade chain=srcnat comment="Traffico OUT WAN1 (Fastweb)" out-interface=ether1-wan
add action=masquerade chain=srcnat comment="Traffico OUT WAN2 (Welcome)" disabled=yes out-interface=ether8-wan2

[admin@NA1] /ip service> export
# oct/28/2015 21:41:46 by RouterOS 6.32.3
# software id = XXXX-XXXX
#
/ip service
set telnet address=10.72.1.0/24 disabled=yes
set ftp address=10.72.1.0/24 disabled=yes
set www address=10.0.0.0/8
set api address=10.0.0.0/8
set winbox address=10.0.0.0/8
set api-ssl disabled=yes

Uqbar · October 28, 2015, 8:47pm

Any hint on how to “check for incoming dns, ntp …”?
I mean, I do know about UDP:53, TCP:53, UDP:123, TCP:23 and the likes .
But I am new to Mikrotik and have no idea on how to “check” them on RouterOS.

Update. I dropped all traffic incoming from WAN on UDP:53 and UDP:123.
It looks like things started going back to normality.
But, please, go on elaborating on your hints: I need to get more skills on this wonderful product! Thanks.

jarda · October 28, 2015, 10:03pm

Sure it was dns amplification attack. It’s normal when you enable the dns cache service and don’t block incoming requests for dns translations from wan side… Use torch to check the traffic when it looks abnormal. You would see it immediately.

Uqbar · October 28, 2015, 10:07pm

Unless DNS cache is turned on by default, I don’t have it.
Thanks for the hint.

JP_Wireless · October 28, 2015, 11:10pm

I once had a similar issue in the long past but mine was such a high traffic from the hotspot interface, meanwhile no one was online at the time.

Solution was to navigate to ip - hotspot - host and i locates and block the mac address that is doing the transmission. Instantly, the traffic went down. This mean they was an issue with the clients system either transmitting sql virus like, or faulty NIC or even using a cloning software.

Uqbar · October 29, 2015, 6:38am

In my case there is no wifi at all.

Uqbar · October 29, 2015, 7:31am

One big question.
As my previous firewall solution was not allowing such a behaviour, isn’t it possible there’s something missing in the RouterOS? Or is it the “old” one to be much smarted than Mikrotik?
As I said, if I replaced the Mikrotik with the old one, everything went back to normal within seconds.

macgaiver · October 29, 2015, 7:35am

Sorry, but networking is not a guessing game…
Use /tool torch or sniffer to see what traffic is that.

Uqbar · October 29, 2015, 7:40am

I do know which traffic was it: DNS and NTP.
My question is about the difference in behaviours between two products.

macgaiver · October 29, 2015, 8:09am

There are hardly any connection-state=new connections that you need to accept from public port. basically only managment tools like winbox and ssh
rest should be dropped, ether by default configuration or custom - something like this:

/ip firewall filter
add chain=input connection-state=established,related
add action=drop connection-state=invalid
add action=reject chain=input dst-port=53 in-interface= protocol=udp reject-with=icmp-port-unreachable
add action=reject chain=input dst-port=53 in-interface= protocol=tcp reject-with=icmp-port-unreachable
add action=reject chain=input dst-port=123 in-interface= protocol=udp reject-with=icmp-port-unreachable

Uqbar · November 3, 2015, 8:31am

I think those 2 first rules need to be put at the very beginning. Right?
But it’s not clear to me the action for the 1st one and the match for the second one.
Why not simply drop the dns and ntp connections?
Thanks.