Solved

Unusual network activity and how to stop it. Internet-facing interface on router over flooded with traffic.

Posted on 2016-10-14
14
64 Views
Last Modified: 2016-10-14
We are having network problems because my router has got too much traffic on the internet facing ethernet port (ether1). It does not have a corresponding amount of traffic coming from the LAN side. I suspect some kind of some kind of scans or attacks coming from the wild internet. I do have a firewall configured inside the router, but I'm not sure it is configured correctly.

My setup:
Router:  Actually it's a PC running Mikrotik Router OS 6.36.2
Ports: 2; ether 1 and ether 2
Ether 1 has a public IP
Ether 2 has 192.168.0.1
Speed: 5Mbps UP 25MBps DOWN
Topology:  Internet------>Cable Modem----->Router------>Smart Switch-------The rest of the tree

problem area
RouterOS_firewall_maybe_not_working.txt
0
Comment
Question by:Jeff swicegood
  • 6
  • 6
  • 2
14 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844375
Either set up traffic logs in your router and look through those, or, install Comm View (Tamosoft) or Wireshark (https://www.wireshark.org/) and look at the external packets being seen by the router.

Make sure you have disabled DDOS attacks (set so they get rejected) in your router.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41844380
The 5.2 Mbps on ether1 is transmit (TX), so that means it is outgoing traffic coming from within your LAN, not traffic from the internet.  Where it's coming from is a bit of a mystery as the LAN-facing interface (ether2) is only showing around 200 Kbps.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844381
A packet sniffer as described above will see traffic in both directions.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844390
RouterOS has a built-n traffic sniffer compatible and can be read by wireshark. What should I try to capture? Absolutely everything? How big should I let the capture file get?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844396
What I see in Comm View are packets with IP addresses in and out. That is what you want to capture.

Or, set up Wireshark on a computer and use the Capture interface to set up a capture.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844546
Ok I'm looking at my capture in wireshark and I don't really know what to look for.  One thing I notice is it looks like my router is responding to DNS queries and even providing answers.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844547
To the public that is.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844551
Most of the packets have the words "defcongroups.org" in them.
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
ID: 41844552
Look for something like this.

Incoming, Outgoing, Bytes transferred. Then look up the main IP Address in Whois (I use Smart Whois)

Comm-View-Packet-Trace
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41844554
If this is indeed the situation, then your router is acting as an open DNS server.  This makes it a target for hackers, and that would explain the large amount of outgoing internet traffic with no equivalent amount of traffic coming from your LAN.

Suggest:  Shut off DNS service on the internet-facing interface.  And check to see what else might be enabled, that should not be.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844557
defcongroups.org is here
==================

defcongroups.org

162.222.171.220

Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

Whois Manager
Whois Proof LLP
Portland
OR
97208-4120
US
Phone: +1.2024700599
E-mail: w79r18sezb@whoisproof.com
Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

Whois Manager
Whois Proof LLP
Portland
OR
97208-4120
US
Phone: +1.2024700599
E-mail: x5f9qu8jb7j@whoisproof.com
Jeff Moss
Obfuscated whois Gandi-Paris
75013
France
Phone: +33.170377666
E-mail: f9de56646087eafea06ccab97154dece-3535439@contact.gandi.net

DNS-2.DATAMERICA.COM
DNS-3.DATAMERICA.COM
DNS-1.DATAMERICA.COM

Google Page Rank : 0
Alexa Traffic Rank : 3,601,641

D160731441-LROR
Created: 2010-11-22T00:31:46Z
Source: whois.publicinterestregistry.net
==================
That is not likely you.
0
 
LVL 1

Author Closing Comment

by:Jeff swicegood
ID: 41844584
Ok, the problem was the firewall somehow had a rule to accept DNS requests from the internet. Disabled that and it went a way.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 41844587
Oops didn't see your post Dr. before I awarded points.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844590
Thanks for updating us.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now