Hello Dear,

I am newbie in this forum and operating a medium size network with Mikrotik ROS. In my core router I am connecting with BGP with my upstream and Mikrotik has update of OS as well as firmware and its model is 1036-8G-2S+EM. Handling internet bandwidth is 2500 Mbps. It was running smoothly from last one year. I didn't get any pain. But last few couple of weeks we got some abnormality. When abnormality begins, then router got 100% CPU usages and our WAN port got full consumption of bandwidth. At the same time LAN port bandwidth got down and its came down from 2500 Mbps to 35-75 Mbps. I got confused. I don't have firewall rule and no queues in my Mikrotik core router. Basically its happens on GMT 15 hours to GMT 23 Hours. Could any one can suggest about the problem and approximate solution of this problem.

Thanks in advance.

Regards,
Kawsar

Hey

it sound like a ddos attack.

You can check with the Profiler Tool witch processes are loading up your cpu. And you should also capture same packets on your WAN port to identify what kind of ddos attack it is.

You can check with the Profiler Tool witch processes are loading up your cpu. And you should also capture same packets on your WAN port to identify what kind of ddos attack it is.

The problem is that with the Tile architecture based 10xx product line, the /tool profile is not always telling you enough - the situation may change dramatically between two profiler ticks. And if you start sniffing, you load the CPU even more.

Many people here report issues like this when using 10xx as PPPoE servers. The thing is that the edge between "everything OK" and "disaster" is very thin there - if the load becomes so high that some PPPoE connections drop, it may generate extra incoming traffic due to looping and retransmissions, which causes even more PPPoE connections to drop, so the traffic forwarding stops for minutes and then everything recovers gradually, until some spike in traffic causes the whole sequence of events to repeat. Sometimes this can be improved by fixing a configuration issue. So post your complete configuration for analysis, it may be possible to improve it.

The problem of the ddos is the connection tracking overload. You need firewall rules to detect and add ip's in an address list and then block these in firewall RAW. This way it prevents the router from getting overloaded.