Community discussions

MikroTik App
 
scionflash
just joined
Topic Author
Posts: 1
Joined: Sat Jun 24, 2017 10:58 pm

My Router was Hacked? -- Weird stuff

Sat Jun 24, 2017 11:36 pm

For starters, I'm not an IT expert. Kind of a low level guy that works in a small business that handles the networking and whatnot since nobody else has a clue. The MikroTik has been great, but I've been "learning as I go" and much of this is way over my head.

Anyways, a few months ago I was getting complaints that the internet was slow. Checked a few things, replaced some APs with newer stuff, and figured all was well. A month later, some of my APs got randomly bricked. No clue what happened, figured it was a power surge or something. Replaced and went on my way.

More complaints about slow speeds. I check it out and the data usage has gone crazy, 250gb within about 20 days. I figure that someone has breached the network and is torrenting. I seriously lock down the network, change all passwords, and setup an extensive firewall.

A few weeks go by and there's more complaints. I check the data usage, and now it's close to 550gb in a month. On the ethernet gateway, a constant 8-10mbps is being recorded on the TX. RX is around a constant 400kbps. The TX was so jammed that a speed test wouldn't even work on the upload portion. I checked all my APs to see how much data they're moving -- normal levels. Checked local machines, normal data moving. I then checked all the connected clients to see how much data they were using, again, all is normal. I then disconnected everything from the router besides the modem -- no change. I also manually booted connected IPs one by one while watching the TX. Finally, I used the "torch" option on the ethernet gateway and sorted by TX usage. Yeahhhh... tons of external connections. My network was being used as some sort of VPN, maybe?

I called the ISP to make sure this was real data being used and not some sort of malfunction or misinformation. He informed me that we were now close to 1tb of usage.

I reset the router to factory defaults with only the router connected to the modem. Immediately my TX "leak" reappeared. Frustrated, I ran to walmart and got some bs netgear router. Hooked that up, zero problems with random TX at high speeds. I setup a traffic meter on the new netgear box and within the past few hours, I haven't seen any weird traffic.

Here's a picture from the torch screen. I would have normally done a screen shot, but this was for texting to a buddy that's actually knows what he's doing (he was lost as well). The MikroTik is now sitting on my desk not connected to anything. Is there a way to see if this thing has been infected and by what?

Image
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: My Router was Hacked? -- Weird stuff

Sun Jun 25, 2017 12:30 pm

The symptoms you described are usually related to DNS amplification attacks, which happen if you don't firewall the routerboard DNS server (UDP 53 on your WAN) from Internet.

This is a DDoS attack, in which your router DNS server receives DNS requests wiith spoofed source addresses, so the router "thinks" it's answering a client request (the victim) when it is really being used on a big network of coordinated DDoS attack overwhelming the victim(s) with unsolicited UDP DNS responses.
Yeahhhh... tons of external connections. My network was being used as some sort of VPN, maybe?
Did you check which kind of traffic (protocol, source and destination ports)? This is important.

To confirm this, you can resort to either torching the WAN interface, or look at IP > Firewall > Connections, filter by UDP and sort by Reply rate.

Another possibility could be the proxy, if you don't firewall it. That's why knowing the protocol and ports is so relevant to determine the cause.

Which RouterOS version was being used?
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: My Router was Hacked? -- Weird stuff

Sun Jun 25, 2017 2:46 pm

Looks like DNS from his screenshot.
 
psannz
Member Candidate
Member Candidate
Posts: 127
Joined: Mon Nov 09, 2015 3:52 pm
Location: Renningen, Germany

Re: My Router was Hacked? -- Weird stuff

Sun Jun 25, 2017 3:48 pm

Could you give us some details on your DNS and IP Firewall Filter configs?

It does indeed like a DNS Amplification Attack.

It would most certainly help if you closed down your incoming DNS ports on the WAN interfaces.
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 295
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: My Router was Hacked? -- Weird stuff

Mon Jun 26, 2017 12:56 pm

setup an extensive firewall.
with 53 udp opened :D
 
User avatar
juanvi
Member Candidate
Member Candidate
Posts: 165
Joined: Mon May 05, 2014 6:55 pm
Location: SPAIN

Re: My Router was Hacked? -- Weird stuff

Mon Jun 26, 2017 2:56 pm

The fast answer is disable "allow remote requests" in DNS
 
SystemErrorMessage
Member
Member
Posts: 383
Joined: Sat Dec 22, 2012 9:04 pm

Re: My Router was Hacked? -- Weird stuff

Tue Jun 27, 2017 5:43 am

that doesnt work, allow remote requests will simply make it impossible for your own network clients to use the DNS on your router. Best way to solve it is to drop input onto port 53 (both tcp and udp) on your WAN interfaces.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: My Router was Hacked? -- Weird stuff

Tue Jun 27, 2017 11:25 am

Again and again... Make default drop rule in input chain and put your exclusions before. Closing just one port leaving all others opened is not a good approach even in this case it is effective the same.

Who is online

Users browsing this forum: Bing [Bot], kazza, Soleous75 and 65 guests