huge traffic

samih · Thu Sep 13, 2012 11:57 am

hello
i have RB750 . interface1 is connected to internet via a real IP address. interfaces 2-->5 are not connected to any network.
the problem is when i go to interface1 in winbox and go to traffic is see a huge trafffic in this interface (900 kbps). when i change the real ip of interface1 the traffic goes back to normal (5kbps), it stays normal for a while like 1 month and then the traffic increases to 900kpbs until i change the real IP to a new one.

please advise.

jadu · Thu Sep 13, 2012 1:35 pm

You can log that traffic to see more.
Add filter rules in input chain and action log.
And after detecting what kind of traffic it is you can drop it.

samih · Thu Sep 13, 2012 5:59 pm

Hello Jadu,

thank you for your reply
i made this rule

add action=log chain=input comment="" disabled=no dst-address=0.0.0.0 in-interface=Real \
    log-prefix="" src-address=0.0.0.0

is that right??
and where i can find the log file

thanks

Caci99 · Thu Sep 13, 2012 8:06 pm

When the "strange" traffic happens again, use torch to see what is going on, from which IP and what ports
that traffic is using.
My first guess would be that you have enabled webproxy and you haven't secured it from outside.

jadu · Fri Sep 14, 2012 1:16 pm

is that right??
and where i can find the log file

It's right, you don't have a log file, you will see in log directly. You can specify log-prefix for eg. LOG INPUT

samih · Fri Sep 14, 2012 10:04 pm

hello i was reviewing the log
there are like more than one hundred of errors like this
04:03:03 system,error,critical login failure for user mysql from 218.4.146.206 via ssh
04:03:05 system,error,critical login failure for user nagios from 218.4.146.206 via ssh
04:03:12 system,error,critical login failure for user nagios from 218.4.146.206 via ssh
04:03:17 system,error,critical login failure for user www from 218.4.146.206 via ssh

all of them happened in less than 20 minutes.

how can i block like this attacks ?

Caci99 · Fri Sep 14, 2012 11:00 pm

hello i was reviewing the log
there are like more than one hundred of errors like this
04:03:03 system,error,critical login failure for user mysql from 218.4.146.206 via ssh
04:03:05 system,error,critical login failure for user nagios from 218.4.146.206 via ssh
04:03:12 system,error,critical login failure for user nagios from 218.4.146.206 via ssh
04:03:17 system,error,critical login failure for user www from 218.4.146.206 via ssh

all of them happened in less than 20 minutes.

how can i block like this attacks ?

Try this on the wiki
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

samih · Thu Sep 20, 2012 10:35 pm

i did them all but still the same.
i am running the torch and there is a continuous traffic:
Src. Address Dst. Address Tx Rate Rx Rate
178.135.64.254 X.X.X.X(my address) 160 kbps 8kbps

i did a firewall rule chain= drop src address=178.135.64.254 action= drop

but nothing happens.

Feklar · Thu Sep 20, 2012 11:56 pm

i did them all but still the same.
i am running the torch and there is a continuous traffic:
Src. Address Dst. Address Tx Rate Rx Rate
178.135.64.254 X.X.X.X(my address) 160 kbps 8kbps

i did a firewall rule chain= drop src address=178.135.64.254 action= drop

but nothing happens.

What chain did you put the firewall rule on? If it is to protect the router itself, it needs to be on the input chain.

Caci99 · Thu Sep 20, 2012 11:59 pm

Post what you did

/ip firewall filter print

It works, you might have done something wrong.
As for the IP that is generating traffic, on which port is that traffic?
Also, the rule you have applied for that IP on which chain is? There is no such chain as drop.

huge traffic

huge traffic

Re: huge traffic

Re: huge traffic

Re: huge traffic

Re: huge traffic

Re: huge traffic

Re: huge traffic

Re: huge traffic

Re: huge traffic

Re: huge traffic

Who is online