Community discussions

MikroTik App
 
rodja990
newbie
Topic Author
Posts: 32
Joined: Mon Mar 12, 2012 1:54 am

Strange traffic on WAN interface

Wed Jan 20, 2016 1:26 pm

After updating from 5.26 to 6.6 and 6.33.5 i am getting strange traffic on my WAN interface on RB433AH. I notice that my internet bandwidth gets low and when i login to router i see that WAN interface (ether3 in my case) has traffic 100mpbs for RX and 15-20mbps for TX. I dont have this "speed" by ISP, it is 50mbps/3mbps. I looked in torch and there isnt any connection with this huge traffic and that traffic is only comming to router and not leaving router. After couple disable/enable ethernet port bandwidth goes back to normal (speed that comes in to router is going out of it.). Is this bug or i am being hacked?
Network isn't network if it's not wireless network
SASNet wireless mreza
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Strange traffic on WAN interface

Wed Jan 20, 2016 2:18 pm

Do you have web-proxy or DNS cache enabled?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
rodja990
newbie
Topic Author
Posts: 32
Joined: Mon Mar 12, 2012 1:54 am

Re: Strange traffic on WAN interface

Wed Jan 20, 2016 2:20 pm

DNS cache - yes
Web-proxy - no
Network isn't network if it's not wireless network
SASNet wireless mreza
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Strange traffic on WAN interface

Fri Jan 22, 2016 10:26 pm

Are positively sure that your DNS cache isn't being used for a DNS DDOS attack?

Check your DNS service isn't available from the outside, and there are no connections from outside IPs to your WAN IP udp port 53.

Odd thing is your service should be already limited to 3Mbps upload, how do you connect to the internet?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
MTeeker
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Tue Jun 14, 2011 2:42 pm
Location: Australia

Re: Strange traffic on WAN interface

Sat Jan 23, 2016 12:06 am

I had a similar experience earlier.

In updating RouterOS, my firewall rules were changed and rearranged in order to take advantage of features in the new version (I think it was 6.30 in my case) but my DNS service was accidentally exposed that led to my upstream leak.

When leaking, it showed a higher upstream bandwidth of 4 to 5 times more than my nominal upstream max.

Although I was paranoid and changed all my passwords at the time, I learned later that I did not have to. (I use an app to manage passwords but never use it for banking).

Hope that explains.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Strange traffic on WAN interface

Sat Jan 23, 2016 12:18 am

Although I was paranoid and changed all my passwords at the time, I learned later that I did not have to. (I use an app to manage passwords but never use it for banking).
For anyone interested, the reason no password changes were necessary is that the DNS-amp attack doesn't require your password or any of your accounts or credentials. They're just taking advantage of the fact that your router will answer a DNS request made any IP address anywhere in the world. The attacker sends tiny packets to your router (dns questions) which they know will cause large replies - e.g. request all records for "iana.org"

Their cluster of zombie bots sends tons of these little packets to your router, which then starts sending the big replies to them - however, they're lying about their source IP address - they spoof the source as being from their victim's IP address - so for sending a few hundred Kbps of packets, your router turns around and shoots several megabits' worth of data at their victim.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
plisken
Forum Guru
Forum Guru
Posts: 2456
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:

Re: Strange traffic on WAN interface

Sat Jan 23, 2016 11:16 pm

 
pe1chl
Forum Guru
Forum Guru
Posts: 6675
Joined: Mon Jun 08, 2015 12:09 pm

Re: Strange traffic on WAN interface

Sun Jan 24, 2016 12:38 am

That is of course not the correct solution because it will block DNS from the inside as well!
In that case you can just as well turn off the DNS service.
You need to specifiy the external interface. And it is best to not symptomatically block single services, but
to block everything and allow what you need.
The default rule is to only allow established/related on the internet side and when you keep that in place there
is no problem at all because those incoming requests are not allowed.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Sun Jan 24, 2016 1:01 am

And finally, expecting default drop on the end of each chain and only explicitly accepting very narrow rules before, there should be no need to make these two rules. But as we see here each day, there are still new and new people that are missing general awareness about firewalling.
 
rodja990
newbie
Topic Author
Posts: 32
Joined: Mon Mar 12, 2012 1:54 am

Re: Strange traffic on WAN interface

Tue Jan 26, 2016 3:48 am

i add this to firewall rules and now everything is ok

http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling
Network isn't network if it's not wireless network
SASNet wireless mreza
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Strange traffic on WAN interface

Tue Jan 26, 2016 11:20 pm

i add this to firewall rules and now everything is ok

http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling
Glad that worked for you, but I personally hate that firewall recipe page with a passion.

It's fine for someone who really understands iptables to use a complicated rig like that, but many beginners find that page, copy and paste it without understanding the ramifications of the rules in there, and then many of them get tangled up in the complicated web of rules if they ever want to change something.

I mean, right off the top of my head - the list of bogons is way outdated - for instance this one:
add address=0.0.0.0/7 list=illegal-addr

1.0.0.0/8 is active on the Internet these days. You may or may not need to talk to anything in that range, but if you did and it didn't work, would you have thought to look up the IP of the site in question, and then go look through the illegal-addr list to discover that 1.x.x.x was covered by 0.0.0.0/7 ?

If so, then keep using this list, but many people get screwed by this monstrosity of a firewall recipe.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: arnoldmikro, Baidu [Spider], eddieb, Google [Bot], Google Adsense [Bot], mohkhalifa and 125 guests