Hi fellow users, I'm new to this forum and to mikrotik in general. I have managed to configure my mikrotik rb951ui-2hnd and its working alright. However, on checking my interface list, I noticed my wan port is receiving a lot of data that's not being passed on to the network. Anyone know what kind of traffic this could be and if this behavior is normal? My dns caching is off and allow remote request is disabled.

In Winbox go to Tools > Torch, select ether1 as interface and click start.

That'll show you packets hitting the interface and maybe you can identify where they're coming from.

Your Mikrotik may be just dropping the packets if they're unsolicited.

As a guess, if you have a static IP, I bet someone has found you have udp/53 open and sending you loads of bogus dns packets to this port, which has be spoofed with other ip's as the source. Which means for very little inbound traffic to use this exploit, your router is sending a massive amount of traffic back to those spoofed IP's in the udp/53 packets.

Using torch you should be able to identify this with a bit of effort. Perhaps you could setup the rule below to block it and see what happens.

/ip firewall filter
;;; Drop udp 53 inbound from internet.
chain=input action=drop protocol=udp in-interface=[wan interface here] dst-port=53 log=no log-prefix=""

Drop tcp/53 too.

That bogus/spoofed packets causing loads of outbound traffic can be clearly seen on the graph below. The rule soon stopped the folks exploiting it.

Disable access to your DNS service from the WAN connection.
This type of attack is called: DNS amplification attack.

Everyone seems to have missed the WAN interface is receiving a lot of traffic, not transmitting.

Everyone seems to have missed the WAN interface is receiving a lot of traffic, not transmitting.

It just hard to diagnose from the output provided. Would need to see some torch output on the interface that shows the protocol type and ports.

But yes, looks to be inbound, perhaps a DoS or DDoS attack. Who knows.