• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 141
  • Last Modified:

Unusual network activity and how to stop it. Internet-facing interface on router over flooded with traffic.

We are having network problems because my router has got too much traffic on the internet facing ethernet port (ether1). It does not have a corresponding amount of traffic coming from the LAN side. I suspect some kind of some kind of scans or attacks coming from the wild internet. I do have a firewall configured inside the router, but I'm not sure it is configured correctly.

My setup:
Router:  Actually it's a PC running Mikrotik Router OS 6.36.2
Ports: 2; ether 1 and ether 2
Ether 1 has a public IP
Ether 2 has 192.168.0.1
Speed: 5Mbps UP 25MBps DOWN
Topology:  Internet------>Cable Modem----->Router------>Smart Switch-------The rest of the tree

problem area
RouterOS_firewall_maybe_not_working.txt
0
Jeff swicegood
Asked:
Jeff swicegood
  • 6
  • 6
  • 2
1 Solution
 
John HurstBusiness Consultant (Owner)Commented:
Either set up traffic logs in your router and look through those, or, install Comm View (Tamosoft) or Wireshark (https://www.wireshark.org/) and look at the external packets being seen by the router.

Make sure you have disabled DDOS attacks (set so they get rejected) in your router.
0
 
Dr. KlahnPrincipal Software EngineerCommented:
The 5.2 Mbps on ether1 is transmit (TX), so that means it is outgoing traffic coming from within your LAN, not traffic from the internet.  Where it's coming from is a bit of a mystery as the LAN-facing interface (ether2) is only showing around 200 Kbps.
0
 
John HurstBusiness Consultant (Owner)Commented:
A packet sniffer as described above will see traffic in both directions.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
Jeff swicegoodAuthor Commented:
RouterOS has a built-n traffic sniffer compatible and can be read by wireshark. What should I try to capture? Absolutely everything? How big should I let the capture file get?
0
 
John HurstBusiness Consultant (Owner)Commented:
What I see in Comm View are packets with IP addresses in and out. That is what you want to capture.

Or, set up Wireshark on a computer and use the Capture interface to set up a capture.
0
 
Jeff swicegoodAuthor Commented:
Ok I'm looking at my capture in wireshark and I don't really know what to look for.  One thing I notice is it looks like my router is responding to DNS queries and even providing answers.
0
 
Jeff swicegoodAuthor Commented:
To the public that is.
0
 
Jeff swicegoodAuthor Commented:
Most of the packets have the words "defcongroups.org" in them.
0
 
John HurstBusiness Consultant (Owner)Commented:
Look for something like this.

Incoming, Outgoing, Bytes transferred. Then look up the main IP Address in Whois (I use Smart Whois)

Comm-View-Packet-Trace
0
 
Dr. KlahnPrincipal Software EngineerCommented:
If this is indeed the situation, then your router is acting as an open DNS server.  This makes it a target for hackers, and that would explain the large amount of outgoing internet traffic with no equivalent amount of traffic coming from your LAN.

Suggest:  Shut off DNS service on the internet-facing interface.  And check to see what else might be enabled, that should not be.
0
 
John HurstBusiness Consultant (Owner)Commented:
defcongroups.org is here
==================

defcongroups.org

162.222.171.220

Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

Whois Manager
Whois Proof LLP
Portland
OR
97208-4120
US
Phone: +1.2024700599
E-mail: w79r18sezb@whoisproof.com
Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

Whois Manager
Whois Proof LLP
Portland
OR
97208-4120
US
Phone: +1.2024700599
E-mail: x5f9qu8jb7j@whoisproof.com
Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

DNS-2.DATAMERICA.COM
DNS-3.DATAMERICA.COM
DNS-1.DATAMERICA.COM

Google Page Rank : 0
Alexa Traffic Rank : 3,601,641

D160731441-LROR
Created: 2010-11-22T00:31:46Z
Source: whois.publicinterestregistry.net
==================
That is not likely you.
0
 
Jeff swicegoodAuthor Commented:
Ok, the problem was the firewall somehow had a rule to accept DNS requests from the internet. Disabled that and it went a way.
0
 
Jeff swicegoodAuthor Commented:
Oops didn't see your post Dr. before I awarded points.
0
 
John HurstBusiness Consultant (Owner)Commented:
Thanks for updating us.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 6
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now