Community discussions

MikroTik App
 
igpetkov
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 09, 2014 10:27 pm

High CPU Load

Mon Feb 01, 2016 9:37 pm

Hi, All!
I have a problem with my BR750GL, the CPU load is very high. In Profile I see that "dns" usage is 80-90%.
1.png
When I stop "Allow Remote Request" the usage go down. Can someone explain that.
2.png
Can I fix that problem?
Thank you
You do not have the required permissions to view the files attached to this post.
 
darkprocess
Member Candidate
Member Candidate
Posts: 255
Joined: Fri Mar 20, 2015 1:16 pm

High CPU Load

Mon Feb 01, 2016 10:49 pm

Dns attack?
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1333
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: High CPU Load

Mon Feb 01, 2016 11:09 pm

Hi, All!
I have a problem with my BR750GL, the CPU load is very high. In Profile I see that "dns" usage is 80-90%.
1.png
When I stop "Allow Remote Request" the usage go down. Can someone explain that.
2.png
Can I fix that problem?
Thank you
What you are seeing is most likely a DNS amplification attack or some variant of it.

https://www.us-cert.gov/ncas/alerts/TA13-088A

It's a very easy fix. Either don't allow remote requests or put the following rule in your firewall above all other rules on the input chain.
/ip firewall filter
add action=drop chain=input dst-port=53 protocol=tcp
add action=drop chain=input dst-port=53 protocol=udp
Global - MikroTik Support & Consulting - English | Español | Serbian | Danish +1 855-645-7684
https://iparchitechs.com/ecosystem/mikr ... consulting mikrotiksupport@iparchitechs.com
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1773
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: High CPU Load

Mon Feb 01, 2016 11:32 pm

i think to the rules IPNET posted you have to add some rule to allow internal users to query dns cache on mikrotik
 
jarda
Forum Guru
Forum Guru
Posts: 7765
Joined: Mon Oct 22, 2012 4:46 pm

Wed Feb 03, 2016 8:31 am

Sure. The rules have to be port specific otherwise it's better to switch dns service off. When such rules are needed it means your firewall has conceptual error. Think of it.
 
igpetkov
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 09, 2014 10:27 pm

Re: High CPU Load

Wed Feb 03, 2016 8:30 pm

Thank You, about your advices and about my long absence.
By adding two firewall rules cpu overload has stop:
chain=input action=drop protocol=tcp in-interface=ether1 dst-port=53 log=no log-prefix=""
chain=input action=drop protocol=udp in-interface=ether1 dst-port=53 log=no log-prefix=""


I keep an eye on my router and post here result.

Thank you again
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1333
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: High CPU Load

Thu Feb 04, 2016 5:26 pm

i think to the rules IPNET posted you have to add some rule to allow internal users to query dns cache on mikrotik
Thanks for the catch...I do normally add an input interface to the rule :D
Global - MikroTik Support & Consulting - English | Español | Serbian | Danish +1 855-645-7684
https://iparchitechs.com/ecosystem/mikr ... consulting mikrotiksupport@iparchitechs.com

Who is online

Users browsing this forum: Baidu [Spider] and 71 guests