?
Solved

Unusual network activity and how to stop it. Internet-facing interface on router over flooded with traffic.

Posted on 2016-10-14
14
Medium Priority
?
124 Views
Last Modified: 2016-10-14
We are having network problems because my router has got too much traffic on the internet facing ethernet port (ether1). It does not have a corresponding amount of traffic coming from the LAN side. I suspect some kind of some kind of scans or attacks coming from the wild internet. I do have a firewall configured inside the router, but I'm not sure it is configured correctly.

My setup:
Router:  Actually it's a PC running Mikrotik Router OS 6.36.2
Ports: 2; ether 1 and ether 2
Ether 1 has a public IP
Ether 2 has 192.168.0.1
Speed: 5Mbps UP 25MBps DOWN
Topology:  Internet------>Cable Modem----->Router------>Smart Switch-------The rest of the tree

problem area
RouterOS_firewall_maybe_not_working.txt
0
Comment
Question by:Jeff swicegood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
14 Comments
 
LVL 97

Expert Comment

by:Experienced Member
ID: 41844375
Either set up traffic logs in your router and look through those, or, install Comm View (Tamosoft) or Wireshark (https://www.wireshark.org/) and look at the external packets being seen by the router.

Make sure you have disabled DDOS attacks (set so they get rejected) in your router.
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 41844380
The 5.2 Mbps on ether1 is transmit (TX), so that means it is outgoing traffic coming from within your LAN, not traffic from the internet.  Where it's coming from is a bit of a mystery as the LAN-facing interface (ether2) is only showing around 200 Kbps.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 41844381
A packet sniffer as described above will see traffic in both directions.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844390
RouterOS has a built-n traffic sniffer compatible and can be read by wireshark. What should I try to capture? Absolutely everything? How big should I let the capture file get?
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 41844396
What I see in Comm View are packets with IP addresses in and out. That is what you want to capture.

Or, set up Wireshark on a computer and use the Capture interface to set up a capture.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844546
Ok I'm looking at my capture in wireshark and I don't really know what to look for.  One thing I notice is it looks like my router is responding to DNS queries and even providing answers.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844547
To the public that is.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844551
Most of the packets have the words "defcongroups.org" in them.
0
 
LVL 97

Accepted Solution

by:
Experienced Member earned 2000 total points
ID: 41844552
Look for something like this.

Incoming, Outgoing, Bytes transferred. Then look up the main IP Address in Whois (I use Smart Whois)

Comm-View-Packet-Trace
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 41844554
If this is indeed the situation, then your router is acting as an open DNS server.  This makes it a target for hackers, and that would explain the large amount of outgoing internet traffic with no equivalent amount of traffic coming from your LAN.

Suggest:  Shut off DNS service on the internet-facing interface.  And check to see what else might be enabled, that should not be.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 41844557
defcongroups.org is here
==================

defcongroups.org

162.222.171.220

Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

Whois Manager
Whois Proof LLP
Portland
OR
97208-4120
US
Phone: +1.2024700599
E-mail: w79r18sezb@whoisproof.com
Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

Whois Manager
Whois Proof LLP
Portland
OR
97208-4120
US
Phone: +1.2024700599
E-mail: x5f9qu8jb7j@whoisproof.com
Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

DNS-2.DATAMERICA.COM
DNS-3.DATAMERICA.COM
DNS-1.DATAMERICA.COM

Google Page Rank : 0
Alexa Traffic Rank : 3,601,641

D160731441-LROR
Created: 2010-11-22T00:31:46Z
Source: whois.publicinterestregistry.net
==================
That is not likely you.
0
 
LVL 1

Author Closing Comment

by:Jeff swicegood
ID: 41844584
Ok, the problem was the firewall somehow had a rule to accept DNS requests from the internet. Disabled that and it went a way.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844587
Oops didn't see your post Dr. before I awarded points.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 41844590
Thanks for updating us.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Make the most of your online learning experience.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question