MikroTik

Hi all,
since some days ago (before these days everything was OK) my log is flooded with the following entries (coming from my firewall rules), which I do not really understand:

20:41:00 firewall,info INPUT: New, No DSTNAT: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto UDP, 85.214.20.141:53->87.171.129.238:5678, len 124
20:41:00 firewall,info INPUT: New, No DSTNAT: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto UDP, 8.8.4.4:53->87.171.129.238:5678, len 80
20:41:00 firewall,info INPUT: New, No DSTNAT: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto UDP, 217.0.43.65:53->87.171.129.238:5678, len 80
20:41:00 firewall,info INPUT: New, No DSTNAT: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto UDP, 217.0.43.81:53->87.171.129.238:5678, len 80
20:41:00 firewall,info INPUT: Invalid: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto ICMP (type 3, code 3), 213.73.91.35->87.171.129.238, len 56
20:41:00 firewall,info INPUT: New, No DSTNAT: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto UDP, 8.8.8.8:53->87.171.129.238:5678, len 80
20:41:01 firewall,info INPUT: New, No DSTNAT: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto UDP, 217.0.43.81:53->87.171.129.238:5678, len 80
20:41:01 firewall,info INPUT: New, No DSTNAT: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto UDP, 8.8.8.8:53->87.171.129.238:5678, len 80
20:41:01 firewall,info INPUT: New, No DSTNAT: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto UDP, 217.0.43.65:53->87.171.129.238:5678, len 80
20:41:01 firewall,info INPUT: New, No DSTNAT: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto UDP, 85.214.20.141:53->87.171.129.238:5678, len 124
20:41:01 firewall,info INPUT: New, No DSTNAT: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto UDP, 8.8.4.4:53->87.171.129.238:5678, len 80
20:41:01 firewall,info INPUT: Invalid: input: in:PPPoE-Out_T-Online out:(unknown 0), src-mac 00:90:1a:a0:bf:0a, proto ICMP (type 3, code 3), 213.73.91.35->87.171.129.238, len 56

These entries are produced by the following firewall rules:
.
.
.
12 ;;; INPUT - Drop invalid connections
chain=input action=drop connection-state=invalid log=yes log-prefix="INPUT: Invalid: "

16 ;;; INPUT - Drop new connections from PPPoE-Out_T-Online to router without existing dstnat configuration
chain=input action=drop connection-state=new connection-nat-state=!dstnat in-interface=PPPoE-Out_T-Online log=yes log-prefix="INPUT: New, No DSTNAT: "

17 ;;; INPUT - Drop everything else - last rule
chain=input action=drop log=yes log-prefix="INPUT: Everything Else; "

I do not really understand what it means: Is really google's DNS server 8.8.8.8:53 trying to contact the (current) public IP (87.171.129.238:5678) of the my router? And why is source port 53 (normal DNS), but destination port is 5678 (which is normally neighbor discovery for MikroTik routers)?

Thank you very much for your help.

I forgot to mention that the router(s) affected with this is a hEX and a CCR1009 both with version 6.41.3 (stable) of router OS.

How about this: somebody is trying to abuse your MTiks to launch DDOS attack against google's DNS service?

IP by default has no source validation.

They are forging/spoofing their source IP to probe your MT weaknesses, i.e. one of which is the ND port.

Depending on what type of business you run, you can just ignore it if you're not some type of ISP, as far as I'm aware.

Thank you very much for the explanation.
It seems and sounds, that I can't do much about it, right?
I run these routers for years now and I have seen this now the very first time and, of course, I am not an ISP.

It is not useful to log dropped traffic from internet unless you are debugging things or you are trying to watch some very specific kind of traffic.
So, just remove the "log" checkmark and situation will be back to normal.