[afnog] BGP issues and strange traffic

Seun Ojedeji seun.ojedeji at gmail.com
Sun Feb 28 05:53:46 UTC 2016


Hi Folarin,

The syntax provided to you by Tayeb combined with the URL shared by Dewole
should be sufficient. Just to be clear, you did not get this issue due to
the BGP (unless your provider in the past never assigned a public IP to
your gateway), it must have been happening before on your router public
interface. However you are probably experiencing more traffic consumption
because now  all your clients can be reached publicly by default. Below are
some urls that could help:

http://wiki.mikrotik.com/wiki/Basic_universal_firewall_script

http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router

Finally in case you are based in Nigeria, do note that there is significant
local experience on the use of mikrotik ROS, so you may subscribe to the
list shared by Dewole if you have any further challenge as there are some
local folks in there who may not be on the afnog list

Regards

Sent from my LG G4
Kindly excuse brevity and typos
On 25 Feb 2016 11:34, "Folarin Oluwafemi" <folarin077 at gmail.com> wrote:

>
> I was able to run Unix OPENBGPD platform and Snort IDS to highly supress
> the attack.
>
> Meanwhile i  will take note of the contributions mentioned earlier and try
> it out.
>
> Also, my ISP said I should get a perimeter firewall like the Cisco ASA
> 5500 series.
>
> Thanks to everyone.
>
> Warm Regards.
>
> On Thu, Feb 25, 2016 at 10:44 AM, Dewole Ajao <dewole at tinitop.com> wrote:
>
>> Sorry, we're 4 days late to the rescue... Dropping the incoming DNS
>> traffic will fix it but tomorrow it will be some other service so ideally
>> you should filter out access to all local services from your WAN
>> interfaces. Wrote
>> http://dewoleajao.com/blog2/remote-rogues-spoiling-your-web-experience
>> last year after seeing same at many Mikrotik all-in-one router sites.
>>
>> And you should join
>> http://abuja.forum.org.ng/mailman/listinfo/ngnog-discuss too ;-)
>>
>> All the best!
>> Dewole.
>>
>> On 2/21/2016 11:24 PM, Folarin Oluwafemi wrote:
>>
>> Hello Group Members,
>>
>> I recently did BGP peering with my  upstream provider and everything was
>> fine until a few days
>>
>> time when i observe strange traffic from the interface of my WAN.
>>
>> What i saw using torch tool (network real-time monitor) on Mikrotik was
>> traffic hitting my WAN
>>
>> interface from IP prefix from unknown locations  hitting my router for
>>  DNS service that i can't
>>
>> explain..
>>
>> I disabled my LAN Public  IP block of 196.13.111.0/24 and observed
>> keenly the scenario and still
>>
>> observed high traffic coming in.
>>
>> Because of this act, i have not been able to enjoy good internet service
>> from my provider.
>>
>>
>> Any filtering mechanism that can be used or how this attack can be
>> mitigated.
>>
>> Attached is the snapshot of what am refering to.
>>
>> *ETHER 5 is the interface facing my ISP *
>>
>>
>> *ETHER 3 is my LAN interface 196.13.111.0/24
>> <http://196.13.111.0/24> disabled *
>>
>> I need assistance from the group in helping out.
>>
>> Regards.
>> --
>> I am what God says I am
>>
>>
>> _______________________________________________
>> afnog mailing listhttps://www.afnog.org/mailman/listinfo/afnog
>>
>>
>>
>
>
> --
> I am what God says I am
>
> _______________________________________________
> afnog mailing list
> https://www.afnog.org/mailman/listinfo/afnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20160228/ae024b3a/attachment.html>


More information about the afnog mailing list