Community discussions

MikroTik App
 
lochesistemas
just joined
Topic Author
Posts: 10
Joined: Sun Mar 20, 2016 5:56 pm

DoS SSDP

Wed Mar 31, 2021 2:58 pm

Hi!

I know this is not a problem with my RB2011. However, I'm writing because I dont know where to ask for help. I've been dealing with this DoS attack since last monday where I discovered it and have no clue how to continue working in order to stop it.

I can see in the bridge and in ether3 interface constant 20/30mbps traffic. When I torch it, I can see a couple of IPs connecting to 239.255.255.250.
http://prntscr.com/110q90j

The most interesting part of this is that if I disconnect those devices, I still see the 20/30mbps traffic. CPU usage is between 90-100%.

I've tried a filter rule, upgrade firmware (installed 6.48.1) and still see that traffic.
I also disconnected mostly everything in the main switch.. still same issue.

I have the same 20/30mbps traffic in my laptop. When I run wireshark, nothing there (no filters of course).. when I open the windows resource monitor, under network, nothing shows

Any hints?
Thanks in advance!
Daniel.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: DoS SSDP

Thu Apr 01, 2021 1:37 am

It looks like you have ports in a bridge or a switch that are flooding multicast traffic. Filter or rate limit broadcasts / multicasts from clients from or disable multicast flooding if it isn't necessary. A complete topology of your network would be needed to diagnose further.
 
mistry7
Forum Guru
Forum Guru
Posts: 1480
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: DoS SSDP

Thu Apr 01, 2021 4:10 am

@R1CH

+1

Who is online

Users browsing this forum: Ahrefs [Bot], EmuAGR, ppawe, sas2k, TheCat12, truefriendcz and 78 guests