Hello guys,
Strange behavior of non-existing customers makes me problems. Let me try to explain:
Let us consider a router with LAN interface ether2 and WAN - ether1. No additional interfaces that functioning at all. / tool torch shows that ip-addresses 200.121.241.221 and 118.160.20.234 make some (big) upload (for customer) traffic on my LAN interface. See [1] on attached picture. But I haven't such addresses. They are somewhere behind our WAN interface.
Traffic can be reached only on our LAN interface as upload [2] and such traffic doesn't exist on the WAN one [3].
This "alien behavior" makes conclusions on the network and worst QoS.

Please, help!

check 'Protocol' and 'Port' ticks to see what exxactly traffic it is

Hi there!
Thanks Chupaka for interest. And an answer.
Here are two screenshots with Port/Protocol marked. Nothing interesting can be observed on shots unfortunately.
Look that "aliens" (ip-addresses not ours) do big amount of traffic BUT ONLY UPLOAD. With zero download:
They can make more than 100% of all routers traffic: Both pics shows zero packets download and big amount of traffic uploaded.

And at last, this traffic stops if disable of WAN iface is made!

maybe a routing loop? add firewall filter logging rule to see from what to what interface these packets go. then block wrong flows =)

can you imagine how it does solved? with a simple queue that limits "everything else" on the lan interface. goodluck!

actually, it's not a solution, it's crutch. you better fix the reason, not symptoms...

maybe a routing loop? add firewall filter logging rule to see from what to what interface these packets go. then block wrong flows =)

yeah, i perfectly know that it's better if find a solution, not scratching away. but can you help to "add firewall filter logging rule to see from what to what interface these packets go. then to block wrong flows ". this adresses we saw on the pics above cannot be matched at all. or (what is more true) i cannot do that

Regards.
Chavdar

try and see whether that rule counts the packets. then, change 'passthrough' to 'log' to see, from what interface the packet comes. then try 'forward' chain

try

Code: Select all

/ip firewall mangle add chain=prerouting src-address=89.215.105.149 action=passthrough

and see whether that rule counts the packets. then, change 'passthrough' to 'log' to see, from what interface the packet comes. then try 'forward' chain

no matches found

btw, if we have queue rule that limits "all rest" traffic there no such traffic from such not our addresses. they not decreased, they stopped. pretty impressive, ah...

problem still persistent.
anybody CAN help?

did you add 'action=passthrough' rule at the top?.. because you should see the traffic in Mangle anyway

yes, I did it

all these ips are visible for few seconds
after that they mysteriously disappeared
and they cannot be torched

Are you 100% sure your ether2 interface is not the WAN? (I see so many different ´public´ address on your src list in torch that I would think it is a public interface you run torch on. I made such mistake in the past!)

If it is then such behaviour is more explanation-able.

Are you 100% sure your ether2 interface is not the WAN?

No abuses, please... I DO can distinguish between WAN and LAN interfaces...

I see so many different ´public´ address on your src list in torch that I would think it is a public interface you run torch on.

Yes, this makes me say "strange" when start this post.

I made such mistake in the past!

Now we have no any "loops", routing errors or any other stupid mistakes. This network acts perfectly MORE THAN 11 years! Router - 6 years with MikroTik. Ofcourse, it was modified several times these years...

maybe a routing loop? add firewall filter logging rule to see from what to what interface these packets go. then block wrong flows =)

Hi there!

At last I captured successfully what actually goes on. I catch the villain...

See the picture attached to this post. Notes:
[1]. ether2 is our LAN interface. There is only one more active interface - ether1, that is WAN interface.
[2]. "evil-doer" (green colored) acts from our LAN interface - just like he is our customer. But this is not our ip-address.
[2]. every attacker's packet comes from different MAC-address (red colored) - maybe it's an algorithm that changes last two parts of the addresses (see red frames on the picture).

Please, HELP!
This attack decreases router's performance dynamically and stops some services at all.
Maybe I need new concept for routers firewall, but I do not understand what actually goes on.

Try this:
/ip firewall filter
add chain=forward action=drop src-address=!192.168.0.0/16 in-interface=ether2

But only if your ether2 assigned addresses are all within 192.168.0.0/16!

ADD: And you might want to explain 'bridge1'. What interfaces are bridged?

Surfertim's suggestion suppresses the fever but doesn't cure the disease.

I don't know how the rest of your network set-up is, but you have to try to find the source. Probably by eliminating possible sources. So disconnect any user until you see this traffic stream die. You should now at least have found the source unit where it comes from. To me it looks like to be a trojan or virus generating traffic under pseudo IP and fake (random) mac. Or maybe a ´bot´ broadcasting to the world it is there (but nobody hears it!)
Probably a client of yours has an infected machine.
So try to find the source by eliminating each and any one by one until the culprit is found.... that's what I would do. (I am not saying this is the solution, it's an suggestion.

Surfertim's suggestion suppresses the fever but doesn't cure the disease.
Probably a client of yours has an infected machine.
So try to find the source by eliminating each and any one by one until the culprit is found.... that's what I would do. (I am not saying this is the solution, it's an suggestion.

Not possible to cure for me. I have about a hundred clients at a time, and they come and go. They buy time and expect service, whether or not their computer has a virus. The best I can hope to do is keep the 'fever' from doing a DoS on my routers. Not much of a cure, is it? But I was thinking the bridge on his setup may have a part in this. If it is looping back traffic, that could really cause some problems.

But I was thinking the bridge on his setup may have a part in this. If it is looping back traffic, that could really cause some problems.

no any bridges on the setup! easy to see after closely reading of all posts

and take a look at the last picture above.

there is a source visible, destination, too. it is easy to see that customer that should be stopped is with ip-address 87.120.205.76

after it stopped, everything goes alright

But I was thinking the bridge on his setup may have a part in this. If it is looping back traffic, that could really cause some problems.

no any bridges on the setup! easy to see after closely reading of all posts

Then why in your first and third post, the images of the "Interface" both show bridge1 (type=bridge) running?

But I was thinking the bridge on his setup may have a part in this. If it is looping back traffic, that could really cause some problems.

no any bridges on the setup! easy to see after closely reading of all posts

Then why in your first and third post, the images of the "Interface" both show bridge1 (type=bridge) running?

router changed, we have interfaces that not functioned. bridge removed. see last several pictures, this is the same router, no bridges with

What "last several pictures"? The only images I see of the "Interface List" (your first and second posts) shows bridge1 active with no way to tell which interfaces were assigned there. When I can read your mind, you may refer to me as "Your Royal Excellent Highness", as will everyone else on this planet!!

What "last several pictures"? The only images I see of the "Interface List" (your first and second posts) shows bridge1 active with no way to tell which interfaces were assigned there. When I can read your mind, you may refer to me as "Your Royal Excellent Highness", as will everyone else on this planet!!

if nothing to say, don't say anything

If you won't accept help, don't ask for it! SurferTim out.

What "last several pictures"? The only images I see of the "Interface List" (your first and second posts) shows bridge1 active with no way to tell which interfaces were assigned there. When I can read your mind, you may refer to me as "Your Royal Excellent Highness", as will everyone else on this planet!!

1. this is not a routing problem, because it's too simple.
2. system changed (attn. SurferTim especially!!!), so we have only two ether interfaces: ether1 (WAN) and ether2 (LAN). No bridges, no wireless. Only two interfaces.
3. this is not a routing problem, because it worked 6 years with untouched configuration. same networks, ethernet interfaces, etc...
4. problem is that somebody with external ip-addr makes big amount of traffic on LAN interface (attn. SurferTim: not a bridge, it is ether2) to our existing hosts, but ONLY ON LAN INTERFACE.
notes:
*traffic stops if WAN disabled;
*traffic decreased if queue limits our host that corresponds to extended host;
*traffic dramatycally decreases system performance of the router
*last picture (see above, SurferTim) shows packets, captured with manle to log

the question is is there anybody who can help in this situation, that have some similar problems and knows what we have to do.

Surfertim's suggestion suppresses the fever but doesn't cure the disease.
Probably a client of yours has an infected machine.
So try to find the source by eliminating each and any one by one until the culprit is found.... that's what I would do. (I am not saying this is the solution, it's an suggestion.

Not possible to cure for me. I have about a hundred clients at a time, and they come and go. They buy time and expect service, whether or not their computer has a virus. The best I can hope to do is keep the 'fever' from doing a DoS on my routers. Not much of a cure, is it? But I was thinking the bridge on his setup may have a part in this. If it is looping back traffic, that could really cause some problems.

bridge removed. we have two interfaces only - WAN ether1 and LAN ether2. clear configuration, but same problem.

and what about a customer who inserted a cable to a switch with a cable shorted the switch (entering two cable ends to switches ports)?