Community discussions

MUM Europe 2020
 
k3NGuru
just joined
Topic Author
Posts: 7
Joined: Wed Jul 31, 2013 3:36 pm

CPU loads 100%

Wed Jul 31, 2013 3:46 pm

Hello.

Today i founded that on my Routerboard 2011uas-2hnd-in CPU loads 100%.
[admin@MikroTik] /ip dns> print         
servers: 
        dynamic-servers: 212.75.210.62,212.75.211.2
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 143KiB
[admin@MikroTik] > /tool profile
NAME                    CPU        USAGE
firewall-mgmt           all         0.5%
wireless                all         0.5%
ethernet                all         4.5%
console                 all         0.5%
dns                     all          82%
traffic-flow            all           0%
firewall                all           1%
networking              all         0.5%
winbox                  all           1%
logging                 all           0%
management              all         8.5%
bridging                all           0%
unclassified            all           1%
How solved my problem?

Best regards, Dmitriy/
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: CPU loads 100%

Wed Jul 31, 2013 3:51 pm

Secure the DNS server on your router.

Configure your firewall input chain correctly.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
k3NGuru
just joined
Topic Author
Posts: 7
Joined: Wed Jul 31, 2013 3:36 pm

Re: CPU loads 100%

Wed Jul 31, 2013 4:41 pm

tomaskir
May be you can help me with this?
Google says me that spell
chain=input action=drop protocol=udp dst-port=53 
but after this rule Internet down :(
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: CPU loads 100%

Thu Aug 01, 2013 11:48 am

Do something like this:
/ip firewall filter
add chain=input comment="Input chain" connection-state=established
add chain=input connection-state=related
add chain=input connection-state=invalid action=drop
add chain=input protocol=icmp
add chain=input dst-port=8291 protocol=tcp
add chain=input in-interface="LAN Interface Name"
add action=log chain=input disabled=yes log-prefix=Drop
add action=drop chain=input
Replace the LAN interface name according to your needs.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: CPU loads 100%

Thu Aug 01, 2013 1:08 pm

Don't use such rule, you are blocking all traffic to port 53 and thus blocking DNS. Just limit queries to your local LAN address range:
chain=input action=drop protocol=udp dst-port=53 src-address=!10.10.10.0/24
Replace "10.10.10.0/24" with your local LAN range
 
k3NGuru
just joined
Topic Author
Posts: 7
Joined: Wed Jul 31, 2013 3:36 pm

Re: CPU loads 100%

Thu Aug 01, 2013 3:51 pm

i modify last rule
chain=input action=drop protocol=udp in-interface=ether1-gateway dst-port=53
and that help me down CPU to 10-20% ^_^
But now i see that http://d.pr/i/2FQu It's not dangerous for my RB? What does mean this statistic http://d.pr/i/XEQZ ?
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: CPU loads 100%

Thu Aug 01, 2013 3:56 pm

You got attacked with a DNS amplification atack, because your router was not properly firewalled.

The counter on that rule is so high, because the attack is still in progress, but the firewall is blocking it.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
k3NGuru
just joined
Topic Author
Posts: 7
Joined: Wed Jul 31, 2013 3:36 pm

Re: CPU loads 100%

Thu Aug 01, 2013 4:11 pm

Do something like this:
/ip firewall filter
add chain=input comment="Input chain" connection-state=established
add chain=input connection-state=related
add chain=input connection-state=invalid action=drop
add chain=input protocol=icmp
add chain=input dst-port=8291 protocol=tcp
add chain=input in-interface="LAN Interface Name"
add action=log chain=input disabled=yes log-prefix=Drop
add action=drop chain=input
Replace the LAN interface name according to your needs.
LAN interface = WAN? If yes, after this rules my internet is down :(
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: CPU loads 100%

Thu Aug 01, 2013 4:14 pm

LAN interface is your Local Area Network interface.
The interface where your clients connect on, NOT the internet interface.

That firewall blocks all communication from everywhere, except the LAN interface specified, connections are allowed there.

Post "/interface export compact" and I will modify it according to your needs.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
k3NGuru
just joined
Topic Author
Posts: 7
Joined: Wed Jul 31, 2013 3:36 pm

Re: CPU loads 100%

Thu Aug 01, 2013 4:22 pm

LAN interface is your Local Area Network interface.
The interface where your clients connect on, NOT the internet interface.

That firewall blocks all communication from everywhere, except the LAN interface specified, connections are allowed there.

Post "/interface export compact" and I will modify it according to your needs.
[admin@MikroTik] > /interface export compact 
# aug/01/2013 20:19:18 by RouterOS 6.1
# software id = 2WQI-40PS
#
/interface bridge
add admin-mac=%secret mac% auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=russia disabled=no distance=indoors \
    ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
set 10 name=sfp1-gateway speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] authentication-types=gpe mode=dynamic-keys wpa-pre-shared-key=%secret key%\
    gper-shared-key=%secret key%
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
I use ether1-ether5. Where:
ether1 -Internet cable from my ISP
ether2-ether5 - Local
ether6-ether10 - empty
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: CPU loads 100%

Thu Aug 01, 2013 5:07 pm

Proper firewall:
/ip firewall filter
add chain=input comment="Input chain" connection-state=established
add chain=input connection-state=related
add chain=input connection-state=invalid action=drop
add chain=input protocol=icmp
add chain=input dst-port=8291 protocol=tcp
add chain=input in-interface=bridge-local
add action=log chain=input disabled=yes log-prefix=Drop
add action=drop chain=input
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
k3NGuru
just joined
Topic Author
Posts: 7
Joined: Wed Jul 31, 2013 3:36 pm

Re: CPU loads 100%

Thu Aug 01, 2013 6:20 pm

tomaskir
Thanks a lot.
Can you tell me, what mean this rule
add action=log chain=input disabled=yes log-prefix=Drop
How i understand, that rule log something or something else?
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: CPU loads 100%

Thu Aug 01, 2013 6:38 pm

Its a rule that logs all the dropped traffic into the log. Its disabled, I enable it if I need to test things.

You can read more about all of this on http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
k3NGuru
just joined
Topic Author
Posts: 7
Joined: Wed Jul 31, 2013 3:36 pm

Re: CPU loads 100%

Thu Aug 01, 2013 6:49 pm

tomaskir
Thank you. :)
 
fatray747
just joined
Posts: 3
Joined: Sat May 11, 2013 8:57 am

Re: CPU loads 100%

Tue Aug 19, 2014 1:09 pm

My RB450G got DNS attack today.
This topic is very useful and it work for me.
Thank you very much for sharing.
 
anandreddy
just joined
Posts: 4
Joined: Tue Apr 10, 2012 2:00 pm

Re: CPU loads 100%

Mon Sep 07, 2015 10:29 am

its works perfectly in CCR -1036.
Thanks

Who is online

Users browsing this forum: bpwl, Dude2048, Google [Bot], metuus and 117 guests