Hello!

I have upload bandwidth activity full from my router to internet.
I see that the source IP is 209.249.222.27/32 (erotic site) port 53(dns) destination my LAN IPs on different ports (IPs of computers connected to LAN interface).
Different port for each IP.

Please, what configuration I can do for dropping and not accepting any connections from/to this IP.
What may it is?

Thank you in advace for your help!

Bledar
indriti_@hotamil.com

I suggest you to protect your router and network as described here in the first few articles:
http://wiki.mikrotik.com/wiki/Firewall

OK. Tank You for your reply. I will read with attention those articles.
But please, what config I must do on firewall for blockin that activity on fastest way?

Thank you Normis!

For my info, what was that?

I have no idea what it was, I just told you how to block all access to/from that address

Hello!

The "attack" still continue. But now with 2 other IPs, 64.125.23.254 & 209.249.222.45. Even from port 80 of these 2 new IPs.
I tried to block these new IPs with firewall rules but no result.

/ip firewall filter add chain=forward src-address=64.125.23.254 action=drop
/ip firewall filter add chain=forward dst-address=64.125.23.254 action=drop

ip firewall filter add chain=forward src-address=209.249.222.45 action=drop
/ip firewall filter add chain=forward dst-address=209.249.222.45 action=drop


Please, what other can I do for blocking these upload?
Why these rules does not work with my MKT Firewall for these 2 new IPs?



Thank You for your help!

Hello!

May any one help me to resolve this problem?
I will really appreciate your help.

No on know how to block these 2 ips ?

No matter what you do the drop rules wont make any effect. It's going for 2.3 Megabits / second so it's not fast enought to drop all the data.
But what i know about this upload thing, is that u have a file called suhhost.exe in c:\windows\system 32\ which is starting with windows also i dont know what does it do. but if u delete it; it will work. first u have to end it's process suhhost.exe from the taskmanager and then u have to delete the file. Watch in mikrotik how the upload stops when u end its process from the taskmanager. If u want a good antivirus , use kaspersky it will detect it.
Tell me what will come with you.

clean your PC from viruses maybe?

Thank You for replies.

Mu PCs are protected with clean slate. When I do a restart the computer goes on the state that I left when I activated Clean Slate.
So, a little bit possibilities are that the PCs might be infected.

Its bean about 3 days that I see no upload traffic toward those IPs.

My question is: Why mikrotik does not blocked dropped upload traffic toward these IP before.

Thank You

probably they are random IPs, when you block one, it goes to another.

But I tried to block X ip and still I see traffic toward that IP.

How is it possible?

One thing would be to find the local IP the packets are coming/going from/to... Then check if it's a real traffic (disconnect those machines). Then check the machines for any spyware, ad-aware etc.

remember that the rule could be effective only after traffic interrupts. ie. reboot the router or disable/enable interface.

I did it so but no results.

Maybe the latest mikrotik version works better regarding firewall rules???

What version are you using??