Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unusual network activity and how to stop it. Internet-facing interface on router over flooded with traffic.

Posted on 2016-10-14
14
Medium Priority
?
131 Views
Last Modified: 2016-10-14
We are having network problems because my router has got too much traffic on the internet facing ethernet port (ether1). It does not have a corresponding amount of traffic coming from the LAN side. I suspect some kind of some kind of scans or attacks coming from the wild internet. I do have a firewall configured inside the router, but I'm not sure it is configured correctly.

My setup:
Router:  Actually it's a PC running Mikrotik Router OS 6.36.2
Ports: 2; ether 1 and ether 2
Ether 1 has a public IP
Ether 2 has 192.168.0.1
Speed: 5Mbps UP 25MBps DOWN
Topology:  Internet------>Cable Modem----->Router------>Smart Switch-------The rest of the tree

problem area
RouterOS_firewall_maybe_not_working.txt
0
Comment
Question by:Jeff swicegood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
14 Comments
 
LVL 98

Expert Comment

by:John Hurst
ID: 41844375
Either set up traffic logs in your router and look through those, or, install Comm View (Tamosoft) or Wireshark (https://www.wireshark.org/) and look at the external packets being seen by the router.

Make sure you have disabled DDOS attacks (set so they get rejected) in your router.
0
 
LVL 29

Expert Comment

by:Dr. Klahn
ID: 41844380
The 5.2 Mbps on ether1 is transmit (TX), so that means it is outgoing traffic coming from within your LAN, not traffic from the internet.  Where it's coming from is a bit of a mystery as the LAN-facing interface (ether2) is only showing around 200 Kbps.
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41844381
A packet sniffer as described above will see traffic in both directions.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844390
RouterOS has a built-n traffic sniffer compatible and can be read by wireshark. What should I try to capture? Absolutely everything? How big should I let the capture file get?
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41844396
What I see in Comm View are packets with IP addresses in and out. That is what you want to capture.

Or, set up Wireshark on a computer and use the Capture interface to set up a capture.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844546
Ok I'm looking at my capture in wireshark and I don't really know what to look for.  One thing I notice is it looks like my router is responding to DNS queries and even providing answers.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844547
To the public that is.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844551
Most of the packets have the words "defcongroups.org" in them.
0
 
LVL 98

Accepted Solution

by:
John Hurst earned 2000 total points
ID: 41844552
Look for something like this.

Incoming, Outgoing, Bytes transferred. Then look up the main IP Address in Whois (I use Smart Whois)

Comm-View-Packet-Trace
0
 
LVL 29

Expert Comment

by:Dr. Klahn
ID: 41844554
If this is indeed the situation, then your router is acting as an open DNS server.  This makes it a target for hackers, and that would explain the large amount of outgoing internet traffic with no equivalent amount of traffic coming from your LAN.

Suggest:  Shut off DNS service on the internet-facing interface.  And check to see what else might be enabled, that should not be.
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41844557
defcongroups.org is here
==================

defcongroups.org

162.222.171.220

Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

Whois Manager
Whois Proof LLP
Portland
OR
97208-4120
US
Phone: +1.2024700599
E-mail: w79r18sezb@whoisproof.com
Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

Whois Manager
Whois Proof LLP
Portland
OR
97208-4120
US
Phone: +1.2024700599
E-mail: x5f9qu8jb7j@whoisproof.com
Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

DNS-2.DATAMERICA.COM
DNS-3.DATAMERICA.COM
DNS-1.DATAMERICA.COM

Google Page Rank : 0
Alexa Traffic Rank : 3,601,641

D160731441-LROR
Created: 2010-11-22T00:31:46Z
Source: whois.publicinterestregistry.net
==================
That is not likely you.
0
 
LVL 1

Author Closing Comment

by:Jeff swicegood
ID: 41844584
Ok, the problem was the firewall somehow had a rule to accept DNS requests from the internet. Disabled that and it went a way.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844587
Oops didn't see your post Dr. before I awarded points.
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41844590
Thanks for updating us.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question