Assuming you have DNS set to Allow Remote Requests (which must be on for local customers to use the Mikrotik as their DNS server), make sure you have an Input chain rule to drop UDP and TCP destination port 53 on the WAN interface. Mikrotik’s QuickSet leaves the router open to DNS amplification attacks.
Also check if you have NTP server enabled, that’s another amplification attack method. From: Jason McKemie Sent: Tuesday, September 06, 2016 11:57 AM To: [email protected] Subject: [AFMUG] Mikrotik Possibly Compromised So I've noticed some strange behavior on my home connection (Comcast). The Mikrotik that I am using shows a constant Tx on the WAN port of around 3-5Mbps and between 200-300pps, Rx is just a few kbps. This activity appears to be strictly on the WAN port. If I disable a firewall rule that accepts input, the activity ceases - but devices behind the router lose connectivity. Any ideas? I've got all IP services disabled except winbox, which is restricted to my local network.
