[AFMUG] Mikrotik Possibly Compromised

So I've noticed some strange behavior on my home connection (Comcast). The Mikrotik that I am using shows a constant Tx on the WAN port of around 3-5Mbps and between 200-300pps, Rx is just a few kbps. This activity appears to be strictly on the WAN port. If I disable a firewall rule that accepts

Re: [AFMUG] Mikrotik Possibly Compromised

Torch it and see what the SRC and DST ports are. Jim Bouse Owner Mobile IT Pro - Brazos WiFi 979-985-5912 j...@brazoswifi.com From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jason McKemie Sent: Tuesday, September 06, 2016 11:58 AM To: af@afmug.com Subject: [AFMUG] Mikrotik Possibly

Re: [AFMUG] Mikrotik Possibly Compromised

Torch? - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Jason McKemie" To: af@afmug.com Sent: Tuesday, September 6, 2016 11:57:33 AM Subject: [AFMUG] Mikrotik Possibly Compromised

Re: [AFMUG] Mikrotik Possibly Compromised

amplification attacks. Also check if you have NTP server enabled, that’s another amplification attack method. From: Jason McKemie Sent: Tuesday, September 06, 2016 11:57 AM To: af@afmug.com Subject: [AFMUG] Mikrotik Possibly Compromised So I've noticed some strange behavior on my home connection (Co

Re: [AFMUG] Mikrotik Possibly Compromised

In my experience, that's usually your mobile devices nattering with the mother ship, like doing backups and uploading recent pictures. iPhones are especially bad about this. On 09/06/2016 09:57 AM, Jason McKemie wrote: So I've noticed some strange behavior on my home connection (Comcast). Th

Re: [AFMUG] Mikrotik Possibly Compromised

------- > *From: *"Jason McKemie" > *To: *af@afmug.com > *Sent: *Tuesday, September 6, 2016 11:57:33 AM > *Subject: *[AFMUG] Mikrotik Possibly Compromised > > So I've noticed some strange behavior on my home connection (Comcast). > The Mikroti

Re: [AFMUG] Mikrotik Possibly Compromised

I'd think that I would see some internal network activity if this were the case though. Also, the source IPs appear to be from all over the world. On Tue, Sep 6, 2016 at 12:09 PM, Bruce Robertson wrote: > In my experience, that's usually your mobile devices nattering with the > mother ship, li

Re: [AFMUG] Mikrotik Possibly Compromised

There you go. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Jason McKemie" To: af@afmug.com Sent: Tuesday, September 6, 2016 12:11:05 PM Subject: Re: [AFMUG] Mikrotik Possibly C

Re: [AFMUG] Mikrotik Possibly Compromised

Good point. On 09/06/2016 10:11 AM, Jason McKemie wrote: I'd think that I would see some internal network activity if this were the case though. Also, the source IPs appear to be from all over the world. On Tue, Sep 6, 2016 at 12:09 PM, Bruce Robertson > wrote: I

Re: [AFMUG] Mikrotik Possibly Compromised

Sent: Tuesday, September 6, 2016 11:58 AM To: af@afmug.com Subject: [AFMUG] Mikrotik Possibly Compromised So I've noticed some strange behavior on my home connection (Comcast). The Mikrotik that I am using shows a constant Tx on the WAN port of around 3-5Mbps and between 200-300pps, Rx is ju

Re: [AFMUG] Mikrotik Possibly Compromised

Well, disabling remote requests dropped it off steeply. I'll have to look into that. Is that enabled by default? On Tue, Sep 6, 2016 at 12:13 PM, Bruce Robertson wrote: > Good point. > > On 09/06/2016 10:11 AM, Jason McKemie wrote: > > I'd think that I would see some internal network activity

Re: [AFMUG] Mikrotik Possibly Compromised

The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ---------- > *From: *"Jason McKemie" > *To: *af@afmug.com > *Sent: *Tuesd

Re: [AFMUG] Mikrotik Possibly Compromised

2:17:23 PM Subject: Re: [AFMUG] Mikrotik Possibly Compromised Yeah, admittedly I haven't done much other than mess around with some blacklists on this one. On Tue, Sep 6, 2016 at 12:16 PM, Mike Hammett < af...@ics-il.net > wrote: Instill some basic network security. I block input t

Re: [AFMUG] Mikrotik Possibly Compromised

Does the Mikrotik DNS cache listen on both TCP and UDP port 53? In past I always dropped both in input chain on the pppoe interface but I am not sure it actually listens on the TCP port? > Assuming you have DNS set to Allow Remote Requests (which must be on for > local customers to use the Mikrot

Re: [AFMUG] Mikrotik Possibly Compromised

dwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------ > *From: *"Jason McKemie" > *To: *af@afmu

Re: [AFMUG] Mikrotik Possibly Compromised

Jason McKemie" To: af@afmug.com Sent: Tuesday, September 6, 2016 12:14:31 PM Subject: Re: [AFMUG] Mikrotik Possibly Compromised Well, disabling remote requests dropped it off steeply. I'll have to look into that. Is that enabled by default? On Tue, Sep 6, 2016 at 12:13 PM, Bruce

Re: [AFMUG] Mikrotik Possibly Compromised

//twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> -- >> *From: *"Jason M

Re: [AFMUG] Mikrotik Possibly Compromised

Yes, unfortunately. On 09/06/2016 10:14 AM, Jason McKemie wrote: Well, disabling remote requests dropped it off steeply. I'll have to look into that. Is that enabled by default? On Tue, Sep 6, 2016 at 12:13 PM, Bruce Robertson > wrote: Good point. On 09/06/2

Re: [AFMUG] Mikrotik Possibly Compromised

disable remote requests. From: Jason McKemie Sent: Tuesday, September 06, 2016 12:20 PM To: af@afmug.com Subject: Re: [AFMUG] Mikrotik Possibly Compromised Well, disabling remote requests worked well enough at the moment. I'll have to work on the firewall setup though. Thanks all

Re: [AFMUG] Mikrotik Possibly Compromised

herswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> -- >>> *From: *"Jason McKemie" >>> *To: *af@

Re: [AFMUG] Mikrotik Possibly Compromised

> > *Sent:* Tuesday, September 06, 2016 12:20 PM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] Mikrotik Possibly Compromised > > Well, disabling remote requests worked well enough at the moment. I'll > have to work on the firewall setup though. > > Thanks all, I

Re: [AFMUG] Mikrotik Possibly Compromised

Could be DDOS attack on dns this happen to me on my mikrotik. Tim -Original Message- From: "Jason McKemie" To: af@afmug.com Date: 09/06/16 02:03 PM Subject: Re: [AFMUG] Mikrotik Possibly Compromised I'd think that I would see some internal network activity if thi

Re: [AFMUG] Mikrotik Possibly Compromised

remote requests. >> >> *From:* Jason McKemie >> *Sent:* Tuesday, September 06, 2016 12:20 PM >> *To:* af@afmug.com >> *Subject:* Re: [AFMUG] Mikrotik Possibly Compromised >> >> Well, disabling remote requests worked well enough at the moment. I'll >&

Re: [AFMUG] Mikrotik Possibly Compromised

*From: *"Jason McKemie" mailto:j.mcke...@veloxinetbroadband.com>> *To: *af@afmug.com <mailto:af@afmug.com> *Sent: *Tuesday, September 6, 2016 12:14:31 PM *Subject: *Re: [AFMUG] Mikrotik Possibly Comp

Re: [AFMUG] Mikrotik Possibly Compromised

/mdwestix> >>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>> <https://twitter.com/mdwestix> >>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>> <https://www.facebook.com/thebrotherswisp> >>>>

Re: [AFMUG] Mikrotik Possibly Compromised

I think that the issue was most likely a UDP amplification attack. TCP isn’t susceptible in the same way so I suspect that you could leave TCP open and not have an issue. Yes MikroTik can answer TCP ( I Just confirmed, I even tested with blocking UDP and still getting an answer but you have to