Forumi


Povratak   PC Ekspert Forum > Internet i mrežne tehnologije > Mreže
Osvježi stranicu Mikrotik - cudni logovi i problem sa Internetom
Ime
Lozinka

Odgovori
 
Uređivanje
Staro 01.10.2016., 20:03   #1
markan
Premium
Moj komp
 
markan's Avatar
 
Datum registracije: Dec 2005
Lokacija: Pula
Postovi: 231
Mikrotik - cudni logovi i problem sa Internetom
Trebao bi pomoc nekog tko se malo bolje razumije u MikroTik i njegov OS da pokusam rjesit postojecu problematiku....
Imam RB2011 koji je PPPoE konekcijom vezan na TCom router, preko kojeg dobiva internet na eth2, dok je preko eth1 povezan sa ostatkom mreze na kojoj ima 50tak hostova. Zadnjih tjedan dana su pocele pucat konekcije i sav promet se usporio, povremeno se neke stranice ne mogu ni otvoriti. Pratio sam malo CPU na RB2011...konstantno skace sa 2%,3% do 30%, 40%, a logovi se pune vec tjedan dana bez prestanka, nekoliko redaka u sekundi. Evo log u nastavku...

Code:
18:27:23 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:42200->31.13.92.37:443, len 60 
18:27:23 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:53902->54.76.179.64:443, len 60 
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50611->75.140.79.1:6881, len 52 
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50612->82.242.230.108:45653, len 52 
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50613->121.7.198.94:1500, len 52 
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50614->94.8.72.160:65313, len 52 
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50615->37.163.30.195:44858, len 52 
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:45925->172.217.22.74:443, len 60 
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.254:55371->151.80.108.86:11123, NAT (10.51.24.254:55371->78.2.
110.154:55371)->151.80.108.86:11123, len 60 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50616->184.175.8.12:6881, len 52 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50617->64.5.64.64:42713, len 52 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.34.203:58530->191.233.80.151:443, len 60 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.34.203:46501->93.184.221.200:443, len 60 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:37093->172.217.22.74:443, len 60 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:46691->31.13.93.3:443, len 60 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:49354->104.96.93.49:443, len 64 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50618->93.200.215.21:21000, len 52 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50619->121.121.60.50:2757, len 52 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:43589->172.217.16.206:443, len 60 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:40016->172.217.16.206:443, len 60 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:60054->172.217.16.206:443, len 60 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50611->75.140.79.1:6881, len 52 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.254:34901->37.59.49.48:11123, len 60 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.34.203:40152->188.125.69.5:993, len 60 
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.34.203:59954->40.127.129.109:443, len 60 
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50610->68.144.16.13:27347, NAT (10.51.33.253:50610->78.2.1
10.154:50610)->68.144.16.13:27347, len 52 
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50620->201.0.121.229:6935, len 52 
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:50057->31.13.92.52:443, len 60 
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50621->77.112.28.200:47141, len 52 
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.36.254:51718->91.195.99.241:443, len 64 
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8 proto TCP (SYN), 10.51.33.253:50611->75.140.79.1:6881, len 48 
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50622->85.27.169.47:33746, len 52 
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.27.246:15976->54.77.198.192:80, len 60 
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:48482->172.217.16.206:80, len 60 
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:54662->31.13.93.2:443, len 60 
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50615->37.163.30.195:44858, NAT (10.51.33.253:50615->78.2.
110.154:50615)->37.163.30.195:44858, len 52 
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:53163->172.217.22.14:80, len 60 
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:41923->169.54.55.216:443, len 60 
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:38231->93.184.220.127:443, len 60 
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.34.203:53417->188.125.69.5:993, len 60 
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:54658->74.125.71.188:5228, len 60
Zna li netko u cem je problem te kako ga rjesiti?
__________________
Be yourself. Everyone else is already taken.
markan je offline   Reply With Quote
Staro 01.10.2016., 21:34   #2
Nikky
Moderator
 
Nikky's Avatar
 
Datum registracije: Sep 2006
Lokacija: St
Postovi: 22,569
Definitivno imaš problem, sad treba skužiti šta i odakle.
Za početak provjeriti / pooštriti fw pravila.
Po logu treba skužiti jeli ovo "napad" izvana ili neki klijent unutra ima kakvo smetje,
lok. klijenta detektiraj po MAC i IP adresi.
Nikky je offline   Reply With Quote
Oglasni prostor
Oglas
 
Oglas
Staro 01.10.2016., 21:50   #3
markan
Premium
Moj komp
 
markan's Avatar
 
Datum registracije: Dec 2005
Lokacija: Pula
Postovi: 231
Jedina mac adresa koja se spominje je ova koja zavrsava sa e8 i pripada eth2. Od tud dolazi internet. BTW, ovi syn paketi mi smrde na DDoS napad, ali s obzirom da nisam imao iskustva sa time do sad trazim nekog tko ce znati kako ovo blokirat. Mora postojat rjesenje, samo moje znanje MT-a je prilicno opcenito i plitko pa trazim strucniju pomoc.
__________________
Be yourself. Everyone else is already taken.
markan je offline   Reply With Quote
Staro 01.10.2016., 22:07   #4
Forace
Premium
Moj komp
 
Datum registracije: Jul 2012
Lokacija: Petrinja
Postovi: 1,604
Jesu ove 10.51.xx.xx tvoji lokali ili ?
Forace je offline   Reply With Quote
Staro 01.10.2016., 22:19   #5
markan
Premium
Moj komp
 
markan's Avatar
 
Datum registracije: Dec 2005
Lokacija: Pula
Postovi: 231
Tak je. Sve lokaklno pocinje sa 10.51.xxx.xxx
__________________
Be yourself. Everyone else is already taken.
markan je offline   Reply With Quote
Staro 01.10.2016., 23:23   #6
Forace
Premium
Moj komp
 
Datum registracije: Jul 2012
Lokacija: Petrinja
Postovi: 1,604
Ovisi kakva ti je mreža odnosno namjena tih 50 računala. Ili provjeri par tih sa adresama da nije nešto došlo na njih što ne bi trebalo ili napravi rule na firewallu koji će puštat 80 i još koji port te sve ostalo dropat.

Ovo ti je samo informacija da ti mikrotik upnp ako sam dobro shvatio.
Forace je offline   Reply With Quote
Staro 02.10.2016., 00:51   #7
markan
Premium
Moj komp
 
markan's Avatar
 
Datum registracije: Dec 2005
Lokacija: Pula
Postovi: 231
Da li bi ovo mozda pomoglo?

Code:
http://wiki.mikrotik.com/wiki/DoS_attack_protection
__________________
Be yourself. Everyone else is already taken.
markan je offline   Reply With Quote
Staro 02.10.2016., 21:06   #8
Mac_F
Pauk mrežar
Moj komp
 
Mac_F's Avatar
 
Datum registracije: Jul 2007
Lokacija: Zagreb (Bjelovar)
Postovi: 267
1. koliki promet imaš u prosjeku / u peaku
2. da li ti treba ovaj NAT logging? probaj ga ugasiti pa vidi kako će se ponašati
3. upali fastpath ako ga nemaš
__________________
PCAP or it didn't happen
Mac_F je offline   Reply With Quote
Oglasni prostor
Oglas
 
Oglas
Odgovori

« Prethodna tema | Sljedeća tema »


Pravila postanja
Vi ne možete otvarati nove teme
Vi ne možete pisati odgovore
Vi ne možete uploadati priloge
Vi ne možete uređivati svoje poruke
BB code je Uključeno
Smajlići su Uključeno
[IMG] kod je Uključeno
HTML je Uključeno
Idi na



© 1999-2023 PC Ekspert - Sva prava pridržana ISSN 1334-2940
Ad Management by RedTyger
Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.