Community discussions

just joined
Topic Author
Posts: 1
Joined: Tue Nov 13, 2018 8:32 pm

Am I hacked?

Tue Nov 13, 2018 9:20 pm

CCR1009-8G-1S-1S+ ver. 6.43.4
Strange things have been happening with my internet service. For testing I ping and "normal" is 20-50ms. About a month and a half ago I started having issues with my connection. I started my ping test and noticed times when my ping climbed and maintained 100-450ms for 2-4 minutes. I complained to the local ISP and they too could see issues between my modem and their node. The ISP has performed several fixes and they no longer see the issue but my ping testing still shows random spikes.

I decided to see what the router was showing. In Winbox (I'm too old and not bright enough to configure via CLI) I opened the Interface List. I see normal Tx and FP Tx flow in the 2 Mbps range. When the ping climbs to excessive range I noted my Tx and FP Tx in the 14Mbps range. As soon as the 2Mbps resumes pings are normal again. I opened Firewall>Connections and sorted by Orig/Repl Rate and monitored along side the Interface list. I see no connections in the list above 1.5 kbps.

So, I've been reading the forums. Since the FastPath Tx is spiking too I've been reading about FP figuring it is coming from there. I'm not sure if I'd see the FP connections in the connections list. I've looked at users and the only one is the Admin. I opened Scripts and see none listed. I looked at services, after the security issue a couple of months ago I disabled ftp, telnet and www-ssl, they're still off.

I cannot explain the sudden burst in traffic on ether2 (my only WAN port). Does this look like some sort of hack? If not, have you seen this before? Is there a better method to see the cause or connection? I'm not sure where to go from here.
Thank You
User avatar
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Am I hacked?

Wed Nov 14, 2018 10:44 am

Check your firewall (IP > Firewall > Filter)

Your symptoms are the typical when being used as a DNS spoof amplification attack.

If your wan port is not protected from Internet, attackers start querying your router DNS server pretending to be someone else, who gets blasted with your (and hundreds of other unprotected DNS services) answers, hence the odd Tx on WAN port.

Solution: make sure default firewall filter rules are in place. Do not leave open ports towards internet.

Make sure too you're using an up to date ROS version, 6.42.9 at least.

You have several tools to see what's going on:

- IP > Firewall > Connections
- Tools > Torch
- Tools > Packet Sniffer

If you're being subject to the DNS amp attack, you'll see traffic going from your WAN IP UDP 53 port -> IPs on Internet.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
User avatar
Forum Guru
Forum Guru
Posts: 1704
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Am I hacked?

Wed Nov 14, 2018 1:42 pm

Start with:
/interface list
add name=WAN_LIST
/interface list member
add interface=YouRWANInterface list=WAN_LIST
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN_LIST log-prefix=UDP53ALL protocol=udp
Real admins use real keyboards.

Who is online

Users browsing this forum: No registered users and 19 guests