Strange traffic on WAN interface
After updating from 5.26 to 6.6 and 6.33.5 i am getting strange traffic on my WAN interface on RB433AH. I notice that my internet bandwidth gets low and when i login to router i see that WAN interface (ether3 in my case) has traffic 100mpbs for RX and 15-20mbps for TX. I dont have this "speed" by ISP, it is 50mbps/3mbps. I looked in torch and there isnt any connection with this huge traffic and that traffic is only comming to router and not leaving router. After couple disable/enable ethernet port bandwidth goes back to normal (speed that comes in to router is going out of it.). Is this bug or i am being hacked?
Re: Strange traffic on WAN interface
Do you have web-proxy or DNS cache enabled?
Re: Strange traffic on WAN interface
DNS cache - yes
Web-proxy - no
Web-proxy - no
Re: Strange traffic on WAN interface
Are positively sure that your DNS cache isn't being used for a DNS DDOS attack?
Check your DNS service isn't available from the outside, and there are no connections from outside IPs to your WAN IP udp port 53.
Odd thing is your service should be already limited to 3Mbps upload, how do you connect to the internet?
Check your DNS service isn't available from the outside, and there are no connections from outside IPs to your WAN IP udp port 53.
Odd thing is your service should be already limited to 3Mbps upload, how do you connect to the internet?
Re: Strange traffic on WAN interface
I had a similar experience earlier.
In updating RouterOS, my firewall rules were changed and rearranged in order to take advantage of features in the new version (I think it was 6.30 in my case) but my DNS service was accidentally exposed that led to my upstream leak.
When leaking, it showed a higher upstream bandwidth of 4 to 5 times more than my nominal upstream max.
Although I was paranoid and changed all my passwords at the time, I learned later that I did not have to. (I use an app to manage passwords but never use it for banking).
Hope that explains.
In updating RouterOS, my firewall rules were changed and rearranged in order to take advantage of features in the new version (I think it was 6.30 in my case) but my DNS service was accidentally exposed that led to my upstream leak.
When leaking, it showed a higher upstream bandwidth of 4 to 5 times more than my nominal upstream max.
Although I was paranoid and changed all my passwords at the time, I learned later that I did not have to. (I use an app to manage passwords but never use it for banking).
Hope that explains.
Re: Strange traffic on WAN interface
For anyone interested, the reason no password changes were necessary is that the DNS-amp attack doesn't require your password or any of your accounts or credentials. They're just taking advantage of the fact that your router will answer a DNS request made any IP address anywhere in the world. The attacker sends tiny packets to your router (dns questions) which they know will cause large replies - e.g. request all records for "iana.org"Although I was paranoid and changed all my passwords at the time, I learned later that I did not have to. (I use an app to manage passwords but never use it for banking).
Their cluster of zombie bots sends tons of these little packets to your router, which then starts sending the big replies to them - however, they're lying about their source IP address - they spoof the source as being from their victim's IP address - so for sending a few hundred Kbps of packets, your router turns around and shoots several megabits' worth of data at their victim.
Re: Strange traffic on WAN interface
That is of course not the correct solution because it will block DNS from the inside as well!
In that case you can just as well turn off the DNS service.
You need to specifiy the external interface. And it is best to not symptomatically block single services, but
to block everything and allow what you need.
The default rule is to only allow established/related on the internet side and when you keep that in place there
is no problem at all because those incoming requests are not allowed.
In that case you can just as well turn off the DNS service.
You need to specifiy the external interface. And it is best to not symptomatically block single services, but
to block everything and allow what you need.
The default rule is to only allow established/related on the internet side and when you keep that in place there
is no problem at all because those incoming requests are not allowed.
Re: Strange traffic on WAN interface
i add this to firewall rules and now everything is ok
http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling
http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling
Re: Strange traffic on WAN interface
Glad that worked for you, but I personally hate that firewall recipe page with a passion.i add this to firewall rules and now everything is ok
http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling
It's fine for someone who really understands iptables to use a complicated rig like that, but many beginners find that page, copy and paste it without understanding the ramifications of the rules in there, and then many of them get tangled up in the complicated web of rules if they ever want to change something.
I mean, right off the top of my head - the list of bogons is way outdated - for instance this one:
add address=0.0.0.0/7 list=illegal-addr
1.0.0.0/8 is active on the Internet these days. You may or may not need to talk to anything in that range, but if you did and it didn't work, would you have thought to look up the IP of the site in question, and then go look through the illegal-addr list to discover that 1.x.x.x was covered by 0.0.0.0/7 ?
If so, then keep using this list, but many people get screwed by this monstrosity of a firewall recipe.