Timigate giveaway is here, and this time, I will be giving out a Mikrotik RB951 small office router to one of my blog visitors. We all need these tools to practice. I will be doing this as a way of encouraging us to practice what is posted on this blog.
The Mikrotik RB951 series comes with five ethernet port, a 2.4Ghz wireless interface, a usb port and a level 4 license capable of supporting up to 100 hotspot users. It has a poe out function on ether5 designed to power connected poe devices such as IP phones and wireless radios. It can be deployed for small offices with up to 50 concurrent users.
However, unlike other blogs, this giveaway comes with a test aimed at keeping us engaged. I will create a real-life scenario and whoever is first to provide the correct answer wins. So, here we go!
Timigate giveaway question
Consider the network diagram below and answer the question that follows.
Network Topology
The router has a public IP assigned to ether1 (WAN interface) with dns functions enabled. Users on the LAN complained of slow connectivity. A check on the router revealed high utilization even when all users have been disconnected. You observed that the WAN interface has much traffic with nothing coming from the LAN.
State what could be the cause of this reported congestion and what can be done to remedy the situation.
Hint: the router has been configured as a dns server. No firewall filter rule has been configured on the router.
To win the prize, simply drop a comment stating what the problem is and how to solve it. Be sure to do so with your email address. Remember, the first correct answer, wins!
Please subscribe to this blog to receive my posts via email. Also subscribe to my YouTube channel, like my Facebook page and follow me on Twitter.
hello Timi I have being a fan of your blog…. I also shared my tech story recently about How a faulty POE adapter affected my wireless link, having being in the IT industry here is my Answer to your give away price “This is could be caused by the dns requests from the internet. Allow remote request was enabled on the router, and since no firewall filter rule has been configured, users all over the world are using the router as dns server. As a result, high upload traffics are noticed on the network. To solve the problem, configure a filter rule to drop dns request coming from the internet.”
Congratulations, Kelly Collins!!!!. Kindly send your shipping address to timigateng@gmail.com. Almost everyone got the answer correctly but like I said, only the first correct answer wins. More giveaways to come.
The box is operating as a recursive DNS resolver to the outside world. The following firewall rule would do the job.
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface= protocol=udp
add action=drop chain=input dst-port=53 in-interface= protocol=tcp
Your answer is VERY correct, only that it is not the first correct answer. I hope you win next time. Thanks
Problem is your router public IP is already act as dns server for outside computer.
Solution is go IP/dns uncheck allow remote request.
Your answer is partially correct. Problem is, I do not want to disable allow remote request because I want the router to provider dns services to connected LAN users.
The problem is DNS requests.
Solution is to uncheck Allow remote request in IP->DNS Settings or to add firewall rule that will drop traffic to port 53.
Disable allow remote request=No. Add firewall rule to drop dns requests from the internet=Yes.
I think the router got like DNS Amplification Attack,.. so many ‘DNS request’ come into local-process of router from WAN/Internet. And make a huge traffic received on WAN interface.
Solution:
Uncheck option “Allow Remote Request” on configuration of DNS Server in Mikrotik. But if you need this feature, so create firewall filter rule, to protect router for DNS request (UDP/TCP 53) which come from internet.
DNS remote Requests is allowed and no firewall rule protects it from outside world on port 53
solution :
1- create firewall rule to block incoming WAN traffic to to tcp and udp 53
2- or disable allow remote request from MTK DNS settings
DNS requests from the internet, just put two rules dropping DNS requests on port 53, one for up and one for TCP. Either use in interface the wan or source address the local network. The DNS is getting attacked from the internet.
I already put a comment but don’t see it! The problem is DNS requests from the wan side, two rules dropping the TCP and udp 52 from the wan is ok
Dns reflection attack, add firewall rule to drop port 53 requests coming into WAN interface.
Very correct, however, not the first correct.
DNS reflection attack, add firewall rule to drop port 53 request incoming to WAN port.
The utilization seen on the router could be as a result of the following: requests, broadcasts from the internet.
Configure firewall rule denying requests from the internet on the WAN interface of the router and Broadcast from the internet
Your answer is correct, however, it is not the first correct answer. Thanks all the same and better luck next time.