Page 1 of 1

CPU loads 100%

Posted: Wed Jul 31, 2013 3:46 pm
by k3NGuru
Hello.

Today i founded that on my Routerboard 2011uas-2hnd-in CPU loads 100%.
[admin@MikroTik] /ip dns> print         
servers: 
        dynamic-servers: 212.75.210.62,212.75.211.2
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 143KiB
[admin@MikroTik] > /tool profile
NAME                    CPU        USAGE
firewall-mgmt           all         0.5%
wireless                all         0.5%
ethernet                all         4.5%
console                 all         0.5%
dns                     all          82%
traffic-flow            all           0%
firewall                all           1%
networking              all         0.5%
winbox                  all           1%
logging                 all           0%
management              all         8.5%
bridging                all           0%
unclassified            all           1%
How solved my problem?

Best regards, Dmitriy/

Re: CPU loads 100%

Posted: Wed Jul 31, 2013 3:51 pm
by tomaskir
Secure the DNS server on your router.

Configure your firewall input chain correctly.

Re: CPU loads 100%

Posted: Wed Jul 31, 2013 4:41 pm
by k3NGuru
tomaskir
May be you can help me with this?
Google says me that spell
chain=input action=drop protocol=udp dst-port=53 
but after this rule Internet down :(

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 11:48 am
by tomaskir
Do something like this:
/ip firewall filter
add chain=input comment="Input chain" connection-state=established
add chain=input connection-state=related
add chain=input connection-state=invalid action=drop
add chain=input protocol=icmp
add chain=input dst-port=8291 protocol=tcp
add chain=input in-interface="LAN Interface Name"
add action=log chain=input disabled=yes log-prefix=Drop
add action=drop chain=input
Replace the LAN interface name according to your needs.

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 1:08 pm
by leonset
Don't use such rule, you are blocking all traffic to port 53 and thus blocking DNS. Just limit queries to your local LAN address range:
chain=input action=drop protocol=udp dst-port=53 src-address=!10.10.10.0/24
Replace "10.10.10.0/24" with your local LAN range

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 3:51 pm
by k3NGuru
i modify last rule
chain=input action=drop protocol=udp in-interface=ether1-gateway dst-port=53
and that help me down CPU to 10-20% ^_^
But now i see that http://d.pr/i/2FQu It's not dangerous for my RB? What does mean this statistic http://d.pr/i/XEQZ ?

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 3:56 pm
by tomaskir
You got attacked with a DNS amplification atack, because your router was not properly firewalled.

The counter on that rule is so high, because the attack is still in progress, but the firewall is blocking it.

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 4:11 pm
by k3NGuru
Do something like this:
/ip firewall filter
add chain=input comment="Input chain" connection-state=established
add chain=input connection-state=related
add chain=input connection-state=invalid action=drop
add chain=input protocol=icmp
add chain=input dst-port=8291 protocol=tcp
add chain=input in-interface="LAN Interface Name"
add action=log chain=input disabled=yes log-prefix=Drop
add action=drop chain=input
Replace the LAN interface name according to your needs.
LAN interface = WAN? If yes, after this rules my internet is down :(

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 4:14 pm
by tomaskir
LAN interface is your Local Area Network interface.
The interface where your clients connect on, NOT the internet interface.

That firewall blocks all communication from everywhere, except the LAN interface specified, connections are allowed there.

Post "/interface export compact" and I will modify it according to your needs.

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 4:22 pm
by k3NGuru
LAN interface is your Local Area Network interface.
The interface where your clients connect on, NOT the internet interface.

That firewall blocks all communication from everywhere, except the LAN interface specified, connections are allowed there.

Post "/interface export compact" and I will modify it according to your needs.
[admin@MikroTik] > /interface export compact 
# aug/01/2013 20:19:18 by RouterOS 6.1
# software id = 2WQI-40PS
#
/interface bridge
add admin-mac=%secret mac% auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=russia disabled=no distance=indoors \
    ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
set 10 name=sfp1-gateway speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] authentication-types=gpe mode=dynamic-keys wpa-pre-shared-key=%secret key%\
    gper-shared-key=%secret key%
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
I use ether1-ether5. Where:
ether1 -Internet cable from my ISP
ether2-ether5 - Local
ether6-ether10 - empty

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 5:07 pm
by tomaskir
Proper firewall:
/ip firewall filter
add chain=input comment="Input chain" connection-state=established
add chain=input connection-state=related
add chain=input connection-state=invalid action=drop
add chain=input protocol=icmp
add chain=input dst-port=8291 protocol=tcp
add chain=input in-interface=bridge-local
add action=log chain=input disabled=yes log-prefix=Drop
add action=drop chain=input

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 6:20 pm
by k3NGuru
tomaskir
Thanks a lot.
Can you tell me, what mean this rule
add action=log chain=input disabled=yes log-prefix=Drop
How i understand, that rule log something or something else?

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 6:38 pm
by tomaskir
Its a rule that logs all the dropped traffic into the log. Its disabled, I enable it if I need to test things.

You can read more about all of this on http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

Re: CPU loads 100%

Posted: Thu Aug 01, 2013 6:49 pm
by k3NGuru
tomaskir
Thank you. :)

Re: CPU loads 100%

Posted: Tue Aug 19, 2014 1:09 pm
by fatray747
My RB450G got DNS attack today.
This topic is very useful and it work for me.
Thank you very much for sharing.

Re: CPU loads 100%

Posted: Mon Sep 07, 2015 10:29 am
by anandreddy
its works perfectly in CCR -1036.
Thanks