Hi. This morning our CCR1016-12G was attacked but i have no idea how. It has the latest firmware installed. Did this after i found the router was compromised using the socks attack. Also changed the password when i installed the firmware and disabled socks as well as all other services except winbox, which i added a firewall rule to only except connections from the lan ports and ip's. Also have rule to only except dns from providers dns server and request only from lan side.
So, to the attack. We have a 300Mb/s fiber, connected to this router, that was totally flooded on the download side. Upload was a few mb/s higher, but not much. This in itself was a bit weird. I could however find nothing in sniffer, connection tracking or torch that indicated what was causing this kind of download speeds. The lan side was running at around 100Mb/s, indecating this was defnitley to the router, but cpu was only running around 32%. Almost looked like a bandwidth test was running from the router on the Wan side, but the bandwidth server is disabled. Only discrepancy i could find was that the web proxy was enabled, which i have disabled now.
This lasted for about two hours and then stopped. Everything running as expected now, and hopefully was a once off, but still. Would like to find out how and what and prevent it from happening again. Any suggestions would be appreciated.