Community discussions

MikroTik App
 
User avatar
MTeeker
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Tue Jun 14, 2011 2:42 pm
Location: Australia

Leaking of upstream

Mon Sep 28, 2015 6:06 am

I cannot reconcile between the high upstream bandwidth with the combined total upstream of individual interfaces.
Even when I turned off all devices except 2 VoIP phones and a ovpn connection so I can identify and isolate the issue.

It's even weirder when my nominal maximum upstream is 2.4mbps. In the attached picture, it was at 4.5mbps.

Is there a simple explanation for this, or is it something more fishy?

Thank you.
You do not have the required permissions to view the files attached to this post.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Wed Sep 30, 2015 12:53 pm

So look at the traffic what is it... Use torch. My guess is that you are part of dns amplification attack. Don't you have your dns service available to public, do you?
 
User avatar
niamul
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Tue Dec 04, 2007 9:33 am
Location: Dhaka, Bangladesh
Contact:

Re:

Thu Oct 01, 2015 7:11 pm

So look at the traffic what is it... Use torch. My guess is that you are part of dns amplification attack. Don't you have your dns service available to public, do you?
This dude is right. Block access to your udp and tcp port 53 on your wan interface
- waiting for that last laugh
 
User avatar
MTeeker
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Tue Jun 14, 2011 2:42 pm
Location: Australia

Re: Re:

Fri Oct 02, 2015 5:51 am

So look at the traffic what is it... Use torch. My guess is that you are part of dns amplification attack. Don't you have your dns service available to public, do you?
You're very knowledgeable and sharp with your diagnosis. Thanks to you, I learned a few more lessons.

I had a few DNS accounts for remote access. Your explanation sent me to do some reading on the topic of amplification attack. Highly embarrassing but I think it was due to my firewall filter settings 'out of kilter' (following my clumsy learning about Fasttrack a month or so ago). I had learned a good lesson to be extremely careful while on the firewall rules screen. (In fact, I numbered the rules in case they are accidentally shifted or deleted).

Having redone the firewalls from scratch, the attacks appear to stop. So far. Once my DNS accounts are resurrected and the attacks do not come back, I will know for sure. I let it as is for now. I am going to change all my security passwords, but do you think it's needed since it a DOS-type attack? Just for my education.

I thank you again for your being a good nettizen. I appreciate it.
__________________
This dude is right. Block access to your udp and tcp port 53 on your wan interface
You mean this:
/ip firewall filter
add action=drop chain=input comment="R3.2 in testing" protocol=udp src-port=\
53
add action=drop chain=input comment="R3.3 in testing" protocol=tcp src-port=53

Thanks.
 
yottabit
Member Candidate
Member Candidate
Posts: 174
Joined: Thu Feb 21, 2013 5:56 am

Re: Leaking of upstream

Fri Oct 02, 2015 6:09 am

Dst-port from outside, not src-port.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Leaking of upstream

Fri Oct 02, 2015 4:41 pm

It's not so hard to guess the reason as the symptoms are repeated here really many times. Glad you are safely behind this topic now. It should not be linked to any password protected function at all so don't worry.
 
User avatar
MTeeker
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Tue Jun 14, 2011 2:42 pm
Location: Australia

Re: Leaking of upstream

Sun Oct 04, 2015 2:09 am

Dst-port from outside, not src-port.
Thanks for that.

Over 24 hours only 195 Bytes were captured (i.e. rejected) under the tcp rule. None under udp protocol however.
I thought more would have been captured if they were these main causes.

It's not so hard to guess the reason as the symptoms are repeated here really many times. Glad you are safely behind this topic now. It should not be linked to any password protected function at all so don't worry.
TBH, I thought of worst scenario initially and went through drastic steps including swapping b/w routers and netinstall. Even got a RB2011-UiAS-2Hnd-IN replacement as mine refused to play ball after a netsintall.

I retried ovpn connection using DNS name and the attacks seem to stay away, so I am happy with the diagnosis. (I use a new DNS name however.)

In the end, I think it's safe to say my out-of-kilter firewall rules, aided by the use of DNS, contributed to the amplification attacks. A lesson learned for me.

Thanks again for being a good nettizen. I buy you a drink if I bump into you in Australia. :-).
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Sun Oct 04, 2015 9:12 am

Thanks. It may happen one day. But rather wine or so. If you would like to get in closer touch, drop your Skype name. I will contact you.

Who is online

Users browsing this forum: mohkhalifa, sindy and 92 guests