MikroTik

Good Day everyone.

Apologies if I am posting on wrong forum, I am a noob.

I am making use of a RB450 on our network with ADSL Router configured in bridge mode and am experiencing what is very strange to me.

Intermittently the PPPoE interface just begins transmitting outbound traffic (upload) without any traffic from the inside of the network initiating this. Using torch on the 2x interfaces shows this activity. Traffic stats also shows the huge difference in the volume of traffic. The router is configured with basic rules in the firewall. (More info can be given here as requested)

Naturally this is eating away at our monthly data cap and more so it reduces any internet use to an absolute standstill.
Rebooting the router seems to resolve it until the next time, which can takes days to occur again.

Any suggestions where I can begin tracing this weird activity?

Thanks in advance.

99% liklihood is that your box is being used as a node in a DDoS attack called a DNS amplification attack.

Probably in IP > DNS you have "allow remote requests" enabled, and in firewall filter, your input chain does not have a default "block all" rule, or else has a rule which ends up permitting UDP port 53.

The fix is to make sure that your input chain has a default deny policy on the WAN interface.

If your WAN is PPPoE, then make sure that the input rules which block traffic from the Internet are set to examine interface pppoe-out1 (or whatever name the PPPoE interface has)

If your WAN is DHCP or static IP address configuration, then whichever physical interface is connected to the modem, e.g. ether1, then make sure that ether1 is the rule in the input filter.

A basic, effective firewall rule set for the input chain would look like this:

action=accept connection-state=established,related
action=accept protocol=icmp
action=drop in-interface=ether1 (or pppoe-out1, etc)

Thanks for the reply.
Could I ask if you can check my filter list as below? I used info from forums to secure firewall.
We still experience the problem though. I uploaded a screenshot of the interfaces to show the differences in just 24hrs.
RDP users from outside lose access and then eventually all internet access goes.

0 ;;; Block VOIP Phone Network
chain=input action=drop src-address-list=VOIP-Phones log=no log-prefix=""

1 ;;; Drop Facebook and Youtube
chain=forward action=drop layer7-protocol=Facebook and Youtube log=no log-prefix=""

2 chain=forward action=drop layer7-protocol=bittorrent in-interface=pppoe-out1 log=no log-prefix=""

3 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid log=no log-prefix=""

4 ;;; Drop RDP 3389 Attempts
chain=input action=drop protocol=tcp in-interface=pppoe-out1 src-port=3389 log=yes log-prefix="RDP 3389 attempts"

5 ;;; Accept established connections
chain=input action=accept connection-state=established log=no log-prefix=""

6 ;;; Accept related connections
chain=input action=accept connection-state=related log=no log-prefix=""

7 ;;; Allow valid connections
chain=input action=accept connection-state=established log=no log-prefix=""

8 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2 log=no log-prefix=""

9 ;;; Drop excess pings
chain=input action=drop protocol=icmp log=no log-prefix=""

10 ;;; SSH for secure shell
chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""

11 ;;; winbox
chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""

12 ;;; UDP
chain=input action=accept protocol=udp log=no log-prefix=""

13 ;;; jump to chain ICMP
chain=forward action=jump jump-target=ICMP protocol=icmp log=no log-prefix=""

14 ;;; 0:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=5,5 log=no log-prefix=""

15 chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=5,5 log=no log-prefix=""

16 ;;; 3:3 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=3:3 limit=5,5 log=no log-prefix=""

17 ;;; 3:4 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=3:4 limit=5,5 log=no log-prefix=""

18 ;;; 8:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=8:0-255 limit=5,5 log=no log-prefix=""

19 ;;; 11:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=11:0-255 limit=5,5 log=no log-prefix=""

20 ;;; Drop all p2p
chain=forward action=drop p2p=all-p2p protocol=tcp in-interface=pppoe-out1 log=no log-prefix=""

21 ;;; Drop everything else
chain=ICMP action=drop protocol=icmp in-interface=pppoe-out1 log=yes log-prefix="DROP INPUT"

22 chain=forward action=accept src-address-list=Our-Nets dst-address-list=Our-Nets log=no log-prefix=""

23 ;;; Internet to our Network
chain=forward action=accept dst-address-list=Our-Nets in-interface=pppoe-out1 log=no log-prefix=""

24 ;;; Our network and Out
chain=forward action=accept src-address-list=Our-Nets out-interface=pppoe-out1 log=no log-prefix=""

25 chain=forward action=drop log=no log-prefix=""

You need to drop rule 12, that is the cause of your problem.
But rule 9 and 13 cannot work together like this.
Probably you inserted rule 8 and 9 from one recipe and rules 13 and onwards from another recipe.
You have to understand that rules are processed top to bottom and when you make a final decision
like ACCEPT, DROP or REJECT you cannot later go on processing the same type of traffic,

99% liklihood is that your box is being used as a node in a DDoS attack called a DNS amplification attack.

Probably in IP > DNS you have "allow remote requests" enabled, and in firewall filter, your input chain does not have a default "block all" rule, or else has a rule which ends up permitting UDP port 53.

The fix is to make sure that your input chain has a default deny policy on the WAN interface.

If your WAN is PPPoE, then make sure that the input rules which block traffic from the Internet are set to examine interface pppoe-out1 (or whatever name the PPPoE interface has)

If your WAN is DHCP or static IP address configuration, then whichever physical interface is connected to the modem, e.g. ether1, then make sure that ether1 is the rule in the input filter.

A basic, effective firewall rule set for the input chain would look like this:

action=accept connection-state=established,related
action=accept protocol=icmp
action=drop in-interface=ether1 (or pppoe-out1, etc)

you saved my life sir