Unfortunately, “remote” doesn’t mean what you probably think. More like remote and local, anything except the Mikrotik itself. So if any clients are using this as their resolver (DNS proxy), it needs to be enabled, with firewall rules. If you aren’t using the Mikrotik as a DNS proxy, you can disable remote requests.
From: Jason McKemie Sent: Tuesday, September 06, 2016 12:20 PM To: [email protected] Subject: Re: [AFMUG] Mikrotik Possibly Compromised Well, disabling remote requests worked well enough at the moment. I'll have to work on the firewall setup though. Thanks all, I'm still not working correctly from the 3 day weekend obviously. On Tue, Sep 6, 2016 at 12:18 PM, Mike Hammett <[email protected]> wrote: If you leave it long enough, Comcast will shut off your account. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ------------------------------------------------------------------------------ From: "Jason McKemie" <[email protected]> To: [email protected] Sent: Tuesday, September 6, 2016 12:17:23 PM Subject: Re: [AFMUG] Mikrotik Possibly Compromised Yeah, admittedly I haven't done much other than mess around with some blacklists on this one. On Tue, Sep 6, 2016 at 12:16 PM, Mike Hammett <[email protected]> wrote: Instill some basic network security. I block input to potentially harmful ports, but a better way is to only allow input on ports you want. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ---------------------------------------------------------------------------- From: "Jason McKemie" <[email protected]> To: [email protected] Sent: Tuesday, September 6, 2016 12:14:31 PM Subject: Re: [AFMUG] Mikrotik Possibly Compromised Well, disabling remote requests dropped it off steeply. I'll have to look into that. Is that enabled by default? On Tue, Sep 6, 2016 at 12:13 PM, Bruce Robertson <[email protected]> wrote: Good point. On 09/06/2016 10:11 AM, Jason McKemie wrote: I'd think that I would see some internal network activity if this were the case though. Also, the source IPs appear to be from all over the world. On Tue, Sep 6, 2016 at 12:09 PM, Bruce Robertson <[email protected]> wrote: In my experience, that's usually your mobile devices nattering with the mother ship, like doing backups and uploading recent pictures. iPhones are especially bad about this. On 09/06/2016 09:57 AM, Jason McKemie wrote: So I've noticed some strange behavior on my home connection (Comcast). The Mikrotik that I am using shows a constant Tx on the WAN port of around 3-5Mbps and between 200-300pps, Rx is just a few kbps. This activity appears to be strictly on the WAN port. If I disable a firewall rule that accepts input, the activity ceases - but devices behind the router lose connectivity. Any ideas? I've got all IP services disabled except winbox, which is restricted to my local network. wbr>8! !DSPAM:2,57cef8d652678869110723!
