My router is 750GL and from monday (05/10/2015) , behind him is Thompson router from my ISP provider which should be in bridge mode. Said 'should' because on MTR test I see strange IP behind my mikrotik but I will explain it later. Now to the point -I'm struggling with @Net problems. Symptoms are quite strange. Although my network is working somehow but after couple of hours it stops working properly. By saying 'properly' I mean first of all:
ping to domains don't work at all = unknown host - DNS misconfigured
after that ping to IP (e.g 8.8.8.
it's responding with a lot of breaks most of them are Request time out.and of course without proper firewall rules my MT CPU utilization is over 90%
Temporary solution is poweroff and poweron the ISP Router (Thompson). But it's not the permanent solution.
Ok Investigating the logs from my MT. I set on firewall a action=log rule before the drop all rule to log any other activities. This is what I get:
From what I understand I'm having a lot of traffic flooding me on port 8080 in ip-protocol=tcp with SYN flag in-interface=ether1.12:46:49 firewall,info Filter: input: in:ether1 out:(none), src-mac cc:35:40:1e:ae:d6, proto TCP (SYN), 74.207.236.49:44675->my_IP:8080, len 60
12:46:50 firewall,info Filter: input: in:ether1 out:(none), src-mac cc:35:40:1e:ae:d6, proto TCP (SYN), 222.253.108.170:29789->my_IP:8080, len 48
12:46:51 firewall,info Filter: input: in:ether1 out:(none), src-mac cc:35:40:1e:ae:d6, proto TCP (SYN), 178.74.70.70:56251->my_IP:8080, len 52
12:46:51 firewall,info Filter: input: in:ether1 out:(none), src-mac cc:35:40:1e:ae:d6, proto TCP (SYN), 5.9.57.103:41797->my_IP:8080, len
So I add firewall rule on the top to add all flooding IP address matching rule, in-interface=ether1 ip-protocol=tcp tcp-flag=syn chain=input, to the SYN_DDOS address list (action=add-src-to-address-list) to see how many IP there are.
After that set simple input/drop rule for IP address from SYN_DDOS list.
It works when it comes to blocking that traffic. In /tools torch I see those IP address trying to flood on my_ip:8080 with no tx/rx pacets , only with tx/rx rates amount of hundreds bps.
This stopped the MT CPU utilization and It takes now much more longer for those symptoms to appear (dns misconfigured and request time out) - from few hours to one day. But after one day sometimes couple of hours the same situation. I have to reboot the ISP Router (bridge mode) and I gain access to Internet.
I did MTR test and have strange thing going on. When I...
1. Make traceroute to my ISP gateway I have 2 jumps (1 my router / 2 my ISP gateway) - and it's correct)
2. Make traceroute e.g to Google DNS 8.8.8.8 I have this
1 <1 ms <1 ms <1 ms router [10.0.1.100]
2 <1 ms <1 ms <1 ms 192.168.0.254
3 16 ms 13 ms 16 ms 10.63.0.1
4 8 ms 7 ms 7 ms gw1-cmts1.tesatnet.pl [79.173.37.10]
5 8 ms 7 ms 7 ms c99-25.icpnet.pl [62.21.99.25]
6 8 ms 7 ms 8 ms e123-1.icpnet.pl [46.238.123.1]
7 10 ms 8 ms 8 ms e123-6.icpnet.pl [46.238.123.6]
8 8 ms 6 ms 11 ms e123-22.icpnet.pl [46.238.123.22]
9 14 ms 8 ms 7 ms rt1-przybyszewskiego-vlan503.core.icpnet.pl [62.21.99.162]
10 11 ms 21 ms 11 ms google-gw.pix.net.pl [185.1.4.45]
11 12 ms 13 ms 37 ms 66.249.95.13
12 40 ms 30 ms 39 ms 216.239.50.217
13 30 ms 29 ms 29 ms 216.239.46.15
14 * * * Upłynął limit czasu żądania.
15 31 ms 30 ms 29 ms google-public-dns-a.google.com [8.8.8.8]
Don't know what is the device on second jump : 192.168.0.254 and where has the ISP gateway dissapear ?
Is there any solution for that attack? Or do I have to request my ISP provider to change my static IP address.
