Instill some basic network security. I block input to potentially harmful ports, but a better way is to only allow input on ports you want.
----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Jason McKemie" <j.mcke...@veloxinetbroadband.com> To: af@afmug.com Sent: Tuesday, September 6, 2016 12:14:31 PM Subject: Re: [AFMUG] Mikrotik Possibly Compromised Well, disabling remote requests dropped it off steeply. I'll have to look into that. Is that enabled by default? On Tue, Sep 6, 2016 at 12:13 PM, Bruce Robertson < br...@pooh.com > wrote: Good point. On 09/06/2016 10:11 AM, Jason McKemie wrote: <blockquote> I'd think that I would see some internal network activity if this were the case though. Also, the source IPs appear to be from all over the world. On Tue, Sep 6, 2016 at 12:09 PM, Bruce Robertson < br...@pooh.com > wrote: <blockquote> In my experience, that's usually your mobile devices nattering with the mother ship, like doing backups and uploading recent pictures. iPhones are especially bad about this. On 09/06/2016 09:57 AM, Jason McKemie wrote: <blockquote> So I've noticed some strange behavior on my home connection (Comcast). The Mikrotik that I am using shows a constant Tx on the WAN port of around 3-5Mbps and between 200-300pps, Rx is just a few kbps. This activity appears to be strictly on the WAN port. If I disable a firewall rule that accepts input, the activity ceases - but devices behind the router lose connectivity. Any ideas? I've got all IP services disabled except winbox, which is restricted to my local network. wbr>8! </blockquote> !DSPAM:2,57cef8d652678869110723! </blockquote> </blockquote>