Solved

Unusual network activity and how to stop it. Internet-facing interface on router over flooded with traffic.

Posted on 2016-10-14
14
86 Views
Last Modified: 2016-10-14
We are having network problems because my router has got too much traffic on the internet facing ethernet port (ether1). It does not have a corresponding amount of traffic coming from the LAN side. I suspect some kind of some kind of scans or attacks coming from the wild internet. I do have a firewall configured inside the router, but I'm not sure it is configured correctly.

My setup:
Router:  Actually it's a PC running Mikrotik Router OS 6.36.2
Ports: 2; ether 1 and ether 2
Ether 1 has a public IP
Ether 2 has 192.168.0.1
Speed: 5Mbps UP 25MBps DOWN
Topology:  Internet------>Cable Modem----->Router------>Smart Switch-------The rest of the tree

problem area
RouterOS_firewall_maybe_not_working.txt
0
Comment
Question by:Jeff swicegood
  • 6
  • 6
  • 2
14 Comments
 
LVL 93

Expert Comment

by:John Hurst
ID: 41844375
Either set up traffic logs in your router and look through those, or, install Comm View (Tamosoft) or Wireshark (https://www.wireshark.org/) and look at the external packets being seen by the router.

Make sure you have disabled DDOS attacks (set so they get rejected) in your router.
0
 
LVL 25

Expert Comment

by:Dr. Klahn
ID: 41844380
The 5.2 Mbps on ether1 is transmit (TX), so that means it is outgoing traffic coming from within your LAN, not traffic from the internet.  Where it's coming from is a bit of a mystery as the LAN-facing interface (ether2) is only showing around 200 Kbps.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41844381
A packet sniffer as described above will see traffic in both directions.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844390
RouterOS has a built-n traffic sniffer compatible and can be read by wireshark. What should I try to capture? Absolutely everything? How big should I let the capture file get?
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41844396
What I see in Comm View are packets with IP addresses in and out. That is what you want to capture.

Or, set up Wireshark on a computer and use the Capture interface to set up a capture.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844546
Ok I'm looking at my capture in wireshark and I don't really know what to look for.  One thing I notice is it looks like my router is responding to DNS queries and even providing answers.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844547
To the public that is.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844551
Most of the packets have the words "defcongroups.org" in them.
0
 
LVL 93

Accepted Solution

by:
John Hurst earned 500 total points
ID: 41844552
Look for something like this.

Incoming, Outgoing, Bytes transferred. Then look up the main IP Address in Whois (I use Smart Whois)

Comm-View-Packet-Trace
0
 
LVL 25

Expert Comment

by:Dr. Klahn
ID: 41844554
If this is indeed the situation, then your router is acting as an open DNS server.  This makes it a target for hackers, and that would explain the large amount of outgoing internet traffic with no equivalent amount of traffic coming from your LAN.

Suggest:  Shut off DNS service on the internet-facing interface.  And check to see what else might be enabled, that should not be.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41844557
defcongroups.org is here
==================

defcongroups.org

162.222.171.220

Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

Whois Manager
Whois Proof LLP
Portland
OR
97208-4120
US
Phone: +1.2024700599
E-mail: w79r18sezb@whoisproof.com
Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

Whois Manager
Whois Proof LLP
Portland
OR
97208-4120
US
Phone: +1.2024700599
E-mail: x5f9qu8jb7j@whoisproof.com
Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

DNS-2.DATAMERICA.COM
DNS-3.DATAMERICA.COM
DNS-1.DATAMERICA.COM

Google Page Rank : 0
Alexa Traffic Rank : 3,601,641

D160731441-LROR
Created: 2010-11-22T00:31:46Z
Source: whois.publicinterestregistry.net
==================
That is not likely you.
0
 
LVL 1

Author Closing Comment

by:Jeff swicegood
ID: 41844584
Ok, the problem was the firewall somehow had a rule to accept DNS requests from the internet. Disabled that and it went a way.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844587
Oops didn't see your post Dr. before I awarded points.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41844590
Thanks for updating us.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question