So look at the traffic what is it... Use torch. My guess is that you are part of dns amplification attack. Don't you have your dns service available to public, do you?
You're very knowledgeable and sharp with your diagnosis. Thanks to you, I learned a few more lessons.
I had a few DNS accounts for remote access. Your explanation sent me to do some reading on the topic of amplification attack. Highly embarrassing but I think it was due to my firewall filter settings 'out of kilter' (following my clumsy learning about Fasttrack a month or so ago). I had learned a good lesson to be extremely careful while on the firewall rules screen. (In fact, I numbered the rules in case they are accidentally shifted or deleted).
Having redone the firewalls from scratch, the attacks appear to stop. So far. Once my DNS accounts are resurrected and the attacks do not come back, I will know for sure. I let it as is for now. I am going to change all my security passwords, but do you think it's needed since it a DOS-type attack? Just for my education.
I thank you again for your being a good nettizen. I appreciate it.
This dude is right. Block access to your udp and tcp port 53 on your wan interface
You mean this:
/ip firewall filter
add action=drop chain=input comment="R3.2 in testing" protocol=udp src-port=\
add action=drop chain=input comment="R3.3 in testing" protocol=tcp src-port=53