Page 1 of 1
huge traffic
Posted: Thu Sep 13, 2012 11:57 am
by samih
hello
i have RB750 . interface1 is connected to internet via a real IP address. interfaces 2-->5 are not connected to any network.
the problem is when i go to interface1 in winbox and go to traffic is see a huge trafffic in this interface (900 kbps). when i change the real ip of interface1 the traffic goes back to normal (5kbps), it stays normal for a while like 1 month and then the traffic increases to 900kpbs until i change the real IP to a new one.
please advise.
Re: huge traffic
Posted: Thu Sep 13, 2012 1:35 pm
by jadu
You can log that traffic to see more.
Add filter rules in input chain and action log.
And after detecting what kind of traffic it is you can drop it.
Re: huge traffic
Posted: Thu Sep 13, 2012 5:59 pm
by samih
Hello Jadu,
thank you for your reply
i made this rule
add action=log chain=input comment="" disabled=no dst-address=0.0.0.0 in-interface=Real \
log-prefix="" src-address=0.0.0.0
is that right??
and where i can find the log file
thanks
Re: huge traffic
Posted: Thu Sep 13, 2012 8:06 pm
by Caci99
When the "strange" traffic happens again, use torch to see what is going on, from which IP and what ports
that traffic is using.
My first guess would be that you have enabled webproxy and you haven't secured it from outside.
Re: huge traffic
Posted: Fri Sep 14, 2012 1:16 pm
by jadu
is that right??
and where i can find the log file
It's right, you don't have a log file, you will see in log directly. You can specify log-prefix for eg. LOG INPUT
Re: huge traffic
Posted: Fri Sep 14, 2012 10:04 pm
by samih
hello i was reviewing the log
there are like more than one hundred of errors like this
04:03:03 system,error,critical login failure for user mysql from 218.4.146.206 via ssh
04:03:05 system,error,critical login failure for user nagios from 218.4.146.206 via ssh
04:03:12 system,error,critical login failure for user nagios from 218.4.146.206 via ssh
04:03:17 system,error,critical login failure for user www from 218.4.146.206 via ssh
all of them happened in less than 20 minutes.
how can i block like this attacks ?
Re: huge traffic
Posted: Fri Sep 14, 2012 11:00 pm
by Caci99
hello i was reviewing the log
there are like more than one hundred of errors like this
04:03:03 system,error,critical login failure for user mysql from 218.4.146.206 via ssh
04:03:05 system,error,critical login failure for user nagios from 218.4.146.206 via ssh
04:03:12 system,error,critical login failure for user nagios from 218.4.146.206 via ssh
04:03:17 system,error,critical login failure for user www from 218.4.146.206 via ssh
all of them happened in less than 20 minutes.
how can i block like this attacks ?
Try this on the wiki
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
Re: huge traffic
Posted: Thu Sep 20, 2012 10:35 pm
by samih
i did them all but still the same.
i am running the torch and there is a continuous traffic:
Src. Address Dst. Address Tx Rate Rx Rate
178.135.64.254 X.X.X.X(my address) 160 kbps 8kbps
i did a firewall rule chain= drop src address=178.135.64.254 action= drop
but nothing happens.
Re: huge traffic
Posted: Thu Sep 20, 2012 11:56 pm
by Feklar
i did them all but still the same.
i am running the torch and there is a continuous traffic:
Src. Address Dst. Address Tx Rate Rx Rate
178.135.64.254 X.X.X.X(my address) 160 kbps 8kbps
i did a firewall rule chain= drop src address=178.135.64.254 action= drop
but nothing happens.
What chain did you put the firewall rule on? If it is to protect the router itself, it needs to be on the input chain.
Re: huge traffic
Posted: Thu Sep 20, 2012 11:59 pm
by Caci99
Post what you did
/ip firewall filter print
It works, you might have done something wrong.
As for the IP that is generating traffic, on which port is that traffic?
Also, the rule you have applied for that IP on which chain is? There is no such chain as drop.