PC Ekspert Forum

PC Ekspert Forum (https://forum.pcekspert.com/index.php)
-   Mreže (https://forum.pcekspert.com/forumdisplay.php?f=16)
-   -   Mikrotik - cudni logovi i problem sa Internetom (https://forum.pcekspert.com/showthread.php?t=281212)

markan 01.10.2016. 20:03
Mikrotik - cudni logovi i problem sa Internetom
 
Trebao bi pomoc nekog tko se malo bolje razumije u MikroTik i njegov OS da pokusam rjesit postojecu problematiku....
Imam RB2011 koji je PPPoE konekcijom vezan na TCom router, preko kojeg dobiva internet na eth2, dok je preko eth1 povezan sa ostatkom mreze na kojoj ima 50tak hostova. Zadnjih tjedan dana su pocele pucat konekcije i sav promet se usporio, povremeno se neke stranice ne mogu ni otvoriti. Pratio sam malo CPU na RB2011...konstantno skace sa 2%,3% do 30%, 40%, a logovi se pune vec tjedan dana bez prestanka, nekoliko redaka u sekundi. Evo log u nastavku...

Code:
18:27:23 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:42200->31.13.92.37:443, len 60
18:27:23 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:53902->54.76.179.64:443, len 60
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50611->75.140.79.1:6881, len 52
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50612->82.242.230.108:45653, len 52
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50613->121.7.198.94:1500, len 52
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50614->94.8.72.160:65313, len 52
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50615->37.163.30.195:44858, len 52
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:45925->172.217.22.74:443, len 60
18:27:24 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.254:55371->151.80.108.86:11123, NAT (10.51.24.254:55371->78.2.
110.154:55371)->151.80.108.86:11123, len 60
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50616->184.175.8.12:6881, len 52
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50617->64.5.64.64:42713, len 52
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.34.203:58530->191.233.80.151:443, len 60
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.34.203:46501->93.184.221.200:443, len 60
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:37093->172.217.22.74:443, len 60
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:46691->31.13.93.3:443, len 60
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:49354->104.96.93.49:443, len 64
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50618->93.200.215.21:21000, len 52
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50619->121.121.60.50:2757, len 52
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:43589->172.217.16.206:443, len 60
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:40016->172.217.16.206:443, len 60
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:60054->172.217.16.206:443, len 60
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50611->75.140.79.1:6881, len 52
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.254:34901->37.59.49.48:11123, len 60
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.34.203:40152->188.125.69.5:993, len 60
18:27:25 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.34.203:59954->40.127.129.109:443, len 60
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50610->68.144.16.13:27347, NAT (10.51.33.253:50610->78.2.1
10.154:50610)->68.144.16.13:27347, len 52
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50620->201.0.121.229:6935, len 52
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.24.250:50057->31.13.92.52:443, len 60
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50621->77.112.28.200:47141, len 52
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.36.254:51718->91.195.99.241:443, len 64
18:27:26 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8 proto TCP (SYN), 10.51.33.253:50611->75.140.79.1:6881, len 48
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50622->85.27.169.47:33746, len 52
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.27.246:15976->54.77.198.192:80, len 60
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:48482->172.217.16.206:80, len 60
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:54662->31.13.93.2:443, len 60
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:50615->37.163.30.195:44858, NAT (10.51.33.253:50615->78.2.
110.154:50615)->37.163.30.195:44858, len 52
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:53163->172.217.22.14:80, len 60
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:41923->169.54.55.216:443, len 60
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.33.253:38231->93.184.220.127:443, len 60
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.34.203:53417->188.125.69.5:993, len 60
18:27:27 firewall,info forward: in:ether2 out:pppoe-out1, src-mac xx:xx:xx:xx:xx:e8, proto TCP (SYN), 10.51.12.254:54658->74.125.71.188:5228, len 60
Zna li netko u cem je problem te kako ga rjesiti?

Nikky 01.10.2016. 21:34
Definitivno imaš problem, sad treba skužiti šta i odakle.
Za početak provjeriti / pooštriti fw pravila.
Po logu treba skužiti jeli ovo "napad" izvana ili neki klijent unutra ima kakvo smetje,
lok. klijenta detektiraj po MAC i IP adresi.

markan 01.10.2016. 21:50
Jedina mac adresa koja se spominje je ova koja zavrsava sa e8 i pripada eth2. Od tud dolazi internet. BTW, ovi syn paketi mi smrde na DDoS napad, ali s obzirom da nisam imao iskustva sa time do sad trazim nekog tko ce znati kako ovo blokirat. Mora postojat rjesenje, samo moje znanje MT-a je prilicno opcenito i plitko pa trazim strucniju pomoc.

Forace 01.10.2016. 22:07
Jesu ove 10.51.xx.xx tvoji lokali ili ?

markan 01.10.2016. 22:19
Tak je. Sve lokaklno pocinje sa 10.51.xxx.xxx

Forace 01.10.2016. 23:23
Ovisi kakva ti je mreža odnosno namjena tih 50 računala. Ili provjeri par tih sa adresama da nije nešto došlo na njih što ne bi trebalo ili napravi rule na firewallu koji će puštat 80 i još koji port te sve ostalo dropat.

Ovo ti je samo informacija da ti mikrotik upnp ako sam dobro shvatio.

markan 02.10.2016. 00:51
Da li bi ovo mozda pomoglo?

Code:
http://wiki.mikrotik.com/wiki/DoS_attack_protection

Mac_F 02.10.2016. 21:06
1. koliki promet imaš u prosjeku / u peaku
2. da li ti treba ovaj NAT logging? probaj ga ugasiti pa vidi kako će se ponašati
3. upali fastpath ako ga nemaš


Sva vremena su GMT +2. Sada je 23:38.

Powered by vBulletin®
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
© 1999-2024 PC Ekspert - Sva prava pridržana ISSN 1334-2940
Ad Management by RedTyger