Community discussions

MikroTik App
 
mhmd
just joined
Topic Author
Posts: 13
Joined: Tue Mar 01, 2016 2:26 pm
Location: Iraq

Unknown Upload!

Tue Jul 26, 2016 9:11 am

Hello Networkers ,

I have public IP address on WAN port and hotspot server on LAN ports (RB2011UiAS) , the problem is that some times I can see the WAN port is passing large amounts of traffic (just upload) even if I disabled all the interfaces (except WAN ) on the RB !!!
anyone have an explanation to this case ?

Image
 
cutedrummerboy
Member Candidate
Member Candidate
Posts: 137
Joined: Thu Nov 14, 2013 6:32 pm

Re: Unknown Upload!

Tue Jul 26, 2016 9:44 am

block all port in input chain except what you want to available at wan side. maybe dns or ntp is causing this or some kind of multicast or broadcast flooding.

my provider's wan is a citywide /24 and i often face some arp flood near about 8 or 9 mbps for 1 or 2 hour. after some investigation i found that was caused by a ip address duplication by some moron. he was using same ip in 2 different network card.
Device: RB2011UIAS-RM, RB750GL, CISCO SG300-28, UNIFI UAP-LR
 
paulct
Member
Member
Posts: 324
Joined: Fri Jul 12, 2013 5:38 pm

Re: Unknown Upload!

Tue Jul 26, 2016 12:11 pm

Perform a torch with port and protocol selected as well.
 
InoX
Forum Guru
Forum Guru
Posts: 1969
Joined: Tue Jan 09, 2007 6:44 pm

Re: Unknown Upload!

Tue Jul 26, 2016 12:33 pm

Drop port 53
 
onnoossendrijver
Member
Member
Posts: 421
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Unknown Upload!

Tue Jul 26, 2016 1:39 pm

This looks like a DNS amplification attack.
Drop port 53 just like InoX above me suggests.
Linux/network engineer: ITIL, LPI1, CCNA R+S, CCNP R+S, JNCIA, JNCIS-SEC
 
mhmd
just joined
Topic Author
Posts: 13
Joined: Tue Mar 01, 2016 2:26 pm
Location: Iraq

Re: Unknown Upload!

Tue Jul 26, 2016 2:32 pm

Drop port 53
I suspect that DNS is causing this too , but how is the hotspot going to work without DNS ?

 >ip dns print 
                servers: 8.8.8.8
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 1896KiB

 
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24605
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Unknown Upload!

Tue Jul 26, 2016 2:34 pm

You don't need DNS on the public interface! Make a firewall rule that drops DNS from unknown networks or interfaces where there are no hotspot users. 
No answer to your question? How to write posts
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Unknown Upload!

Tue Jul 26, 2016 5:00 pm

Make sure that your INPUT chain rule dropping DNS comes AFTER the rule which accepts connection-state=established,related
This way, your router will still get replies for DNS requests that it made for itself (or for the users) but nobody will be allowed to ask it a new question from the WAN side.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
amjadayub
just joined
Posts: 3
Joined: Sat Feb 16, 2019 7:52 am

Re: Unknown Upload!

Mon Feb 18, 2019 7:49 am

It's DDoS Attacks, I have also faced this issue on my 2 different Mikrotik Routers.
Following Changes solved this problem at my end.

Disable DNS if not required.
If DNS – Allow remote request is enabled, make sure appropriate filter rule is set to prevent incoming DNS attacks.

add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input dst-port=53 protocol=tcp

Disable SSH, Telnet access if not required.
Change HTTP port to some other port other than port 80.

For more details you can visit following website.
http://srijit.com/how-to-protect-your-m ... s-attacks/

Who is online

Users browsing this forum: AdHearable, dave864, gmiretzky, sindy and 77 guests