If you can capture the traffic, you may find that it is legitimate traffic for a misconfigured domain. I.e. some domain has their name servers listed including that ip. A capture should show which domain the query is for.
I seem to recall the sniffer functionality in a mikrotik will either decode this, or more likely save and/or stream it so that you can use Wireshark on a PC to decode. On Oct 9, 2015 9:12 AM, "That One Guy /sarcasm" <[email protected]> wrote: > My policy on this interface is default deny, so it is dropping them, but > its still going on to just the one IP out if the /28 subnet. I dont mind > dropping them, its not noticable bandwidth, I just cant figure out why it > is the traffic is focused there, I almost wonder if I ws to stick a DNS > server on that IP if it would increase > > On Fri, Oct 9, 2015 at 8:08 AM, David <[email protected]> wrote: > >> DDOSDNS bot trying to find a live host for pushing responses. >> >> add rule >> input udp dest-port 53 interface=to internet drop in your firewall >> >> hate those little bastards dont have anything else to do except do what >> their programmed to do >> >> >> >> >> >> >> On 10/08/2015 11:42 PM, That One Guy /sarcasm wrote: >> >> So I'm at home, turning up a subnet on a mikrotik on the network. Mind >> you this subnet hasn't been in use in 6 months. This is for some servers so >> I create a default deny policy with logging. One of the IPs is being >> hammered on port 53 udp per the packet sniffer. The IP isn't live, its just >> dropping because of the policy. Its not much bandwidth but as best I can >> tell its constantl and different IPs. >> >> Is the packet sniffer on these things similar to tcpdump, the manual page >> didn't seem so. All I can guess is these are part of something I'm not >> related to and since this IP hasn't been live in 6 months its spoofed or >> something and these are some sort of response packet to a denial of service >> somewhere else. >> but this subnet, not this particular IP, will house a couple DNS servers, >> I just want to make sure theres no shenanigans going on before I turn >> anything up >> Without being at the office to wireshark this from a switch, how do I get >> more out of this mikrotik packet sniffer >> >> -- >> If you only see yourself as part of the team but you don't see your team >> as part of yourself you have already failed as part of the team. >> >> >> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. >
