I cannot reconcile between the high upstream bandwidth with the combined total upstream of individual interfaces.
Even when I turned off all devices except 2 VoIP phones and a ovpn connection so I can identify and isolate the issue.

It's even weirder when my nominal maximum upstream is 2.4mbps. In the attached picture, it was at 4.5mbps.

Is there a simple explanation for this, or is it something more fishy?

Thank you.

So look at the traffic what is it... Use torch. My guess is that you are part of dns amplification attack. Don't you have your dns service available to public, do you?

So look at the traffic what is it... Use torch. My guess is that you are part of dns amplification attack. Don't you have your dns service available to public, do you?

This dude is right. Block access to your udp and tcp port 53 on your wan interface

So look at the traffic what is it... Use torch. My guess is that you are part of dns amplification attack. Don't you have your dns service available to public, do you?

You're very knowledgeable and sharp with your diagnosis. Thanks to you, I learned a few more lessons.

I had a few DNS accounts for remote access. Your explanation sent me to do some reading on the topic of amplification attack. Highly embarrassing but I think it was due to my firewall filter settings 'out of kilter' (following my clumsy learning about Fasttrack a month or so ago). I had learned a good lesson to be extremely careful while on the firewall rules screen. (In fact, I numbered the rules in case they are accidentally shifted or deleted).

Having redone the firewalls from scratch, the attacks appear to stop. So far. Once my DNS accounts are resurrected and the attacks do not come back, I will know for sure. I let it as is for now. I am going to change all my security passwords, but do you think it's needed since it a DOS-type attack? Just for my education.

I thank you again for your being a good nettizen. I appreciate it.
__________________

This dude is right. Block access to your udp and tcp port 53 on your wan interface

You mean this:
/ip firewall filter
add action=drop chain=input comment="R3.2 in testing" protocol=udp src-port=\
53
add action=drop chain=input comment="R3.3 in testing" protocol=tcp src-port=53

Thanks.

Dst-port from outside, not src-port.

It's not so hard to guess the reason as the symptoms are repeated here really many times. Glad you are safely behind this topic now. It should not be linked to any password protected function at all so don't worry.

Dst-port from outside, not src-port.

Thanks for that.

Over 24 hours only 195 Bytes were captured (i.e. rejected) under the tcp rule. None under udp protocol however.
I thought more would have been captured if they were these main causes.

It's not so hard to guess the reason as the symptoms are repeated here really many times. Glad you are safely behind this topic now. It should not be linked to any password protected function at all so don't worry.

TBH, I thought of worst scenario initially and went through drastic steps including swapping b/w routers and netinstall. Even got a RB2011-UiAS-2Hnd-IN replacement as mine refused to play ball after a netsintall.

I retried ovpn connection using DNS name and the attacks seem to stay away, so I am happy with the diagnosis. (I use a new DNS name however.)

In the end, I think it's safe to say my out-of-kilter firewall rules, aided by the use of DNS, contributed to the amplification attacks. A lesson learned for me.

Thanks again for being a good nettizen. I buy you a drink if I bump into you in Australia. .

Thanks. It may happen one day. But rather wine or so. If you would like to get in closer touch, drop your Skype name. I will contact you.