100% of the time you enable DNS resolving you want to firewall the WAN interface for this very reason.
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Tue, Sep 6, 2016 at 1:59 PM, Jason McKemie < [email protected]> wrote: > Got it. I think part of the issue here is that since I was using it at > home I left the Mikrotik default config installed - normally I wipe this > and start from scratch. > > On Tuesday, September 6, 2016, Ken Hohhof <[email protected]> wrote: > >> Unfortunately, “remote” doesn’t mean what you probably think. More like >> remote and local, anything except the Mikrotik itself. So if any clients >> are using this as their resolver (DNS proxy), it needs to be enabled, with >> firewall rules. If you aren’t using the Mikrotik as a DNS proxy, you can >> disable remote requests. >> >> *From:* Jason McKemie >> *Sent:* Tuesday, September 06, 2016 12:20 PM >> *To:* [email protected] >> *Subject:* Re: [AFMUG] Mikrotik Possibly Compromised >> >> Well, disabling remote requests worked well enough at the moment. I'll >> have to work on the firewall setup though. >> >> Thanks all, I'm still not working correctly from the 3 day weekend >> obviously. >> >> On Tue, Sep 6, 2016 at 12:18 PM, Mike Hammett <[email protected]> wrote: >> >>> If you leave it long enough, Comcast will shut off your account. >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>> <https://twitter.com/ICSIL> >>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>> <https://www.facebook.com/mdwestix> >>> <https://www.linkedin.com/company/midwest-internet-exchange> >>> <https://twitter.com/mdwestix> >>> The Brothers WISP <http://www.thebrotherswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> ------------------------------ >>> *From: *"Jason McKemie" <[email protected]> >>> *To: *[email protected] >>> *Sent: *Tuesday, September 6, 2016 12:17:23 PM >>> *Subject: *Re: [AFMUG] Mikrotik Possibly Compromised >>> >>> Yeah, admittedly I haven't done much other than mess around with some >>> blacklists on this one. >>> >>> On Tue, Sep 6, 2016 at 12:16 PM, Mike Hammett <[email protected]> wrote: >>> >>>> Instill some basic network security. I block input to potentially >>>> harmful ports, but a better way is to only allow input on ports you want. >>>> >>>> >>>> >>>> ----- >>>> Mike Hammett >>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>> <https://www.facebook.com/ICSIL> >>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>> <https://twitter.com/ICSIL> >>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>> <https://www.facebook.com/mdwestix> >>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>> <https://twitter.com/mdwestix> >>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>> <https://www.facebook.com/thebrotherswisp> >>>> >>>> >>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>> ------------------------------ >>>> *From: *"Jason McKemie" <[email protected]> >>>> *To: *[email protected] >>>> *Sent: *Tuesday, September 6, 2016 12:14:31 PM >>>> *Subject: *Re: [AFMUG] Mikrotik Possibly Compromised >>>> >>>> Well, disabling remote requests dropped it off steeply. I'll have to >>>> look into that. Is that enabled by default? >>>> >>>> On Tue, Sep 6, 2016 at 12:13 PM, Bruce Robertson <[email protected]> >>>> wrote: >>>> >>>>> Good point. >>>>> >>>>> On 09/06/2016 10:11 AM, Jason McKemie wrote: >>>>> >>>>> I'd think that I would see some internal network activity if this were >>>>> the case though. Also, the source IPs appear to be from all over the >>>>> world. >>>>> >>>>> On Tue, Sep 6, 2016 at 12:09 PM, Bruce Robertson <[email protected]> >>>>> wrote: >>>>> >>>>>> In my experience, that's usually your mobile devices nattering with >>>>>> the mother ship, like doing backups and uploading recent pictures. >>>>>> iPhones >>>>>> are especially bad about this. >>>>>> >>>>>> On 09/06/2016 09:57 AM, Jason McKemie wrote: >>>>>> >>>>>>> So I've noticed some strange behavior on my home connection >>>>>>> (Comcast). The Mikrotik that I am using shows a constant Tx on the WAN >>>>>>> port of around 3-5Mbps and between 200-300pps, Rx is just a few kbps. >>>>>>> This >>>>>>> activity appears to be strictly on the WAN port. If I disable a >>>>>>> firewall >>>>>>> rule that accepts input, the activity ceases - but devices behind the >>>>>>> router lose connectivity. >>>>>>> >>>>>>> Any ideas? I've got all IP services disabled except winbox, which >>>>>>> is restricted to my local network. >>>>>>> wbr>8! >>>>>>> >>>>>> >>>>>> >>>>> !DSPAM:2,57cef8d652678869110723! >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >>> >> >> >
