For those experiencing increased pings and reduced upload speed but download speed (especially speedtest) seem mostly unaffected. Here's another possibility. That your router is being utilised as a zombie in an Amplification Attack.



The above is a Mikrotik RB951Ui-2HnD router being used as a zombie in a DNS Amplification Attack. Firewall rules were disabled and routed rebooted. About 36hrs later the router was acquired and the attack started. They're not attacking you. They're using you to DDOS someone else.

Symptoms
1) Blinking WAN light when no-one is using the internet
2) Increased pings
3) Slow upload but normal download speeds (from above you can see upload is maxed out)
4) Reboot solves the problem until hours or days later. (when the bad guys reacquires your new IP address)
5) Thousands of connections to port 53 DNS. If your router runs out of memory, it slow down or locks up eventually.
6) High CPU usage. Usually when this happens, your router web config page takes awhile to load.

If your router is powerful enough, you might not even notice it.

Solution is to lock down your router. At the very least deny access to port 53 DNS from WAN.
Ensure that your router has a good password or disable remote management.

Notes:
Stock TM router RG4332 - has port 53 opened to the WAN but is safe from DNS amplification attack as it's not a recursive DNS resolver. Not sure if this can be changed in router configuration page.
Mikrotik: Ensure that you have an input-chain-drop-filter for your WAN interface, pppoe-out1 not ether1-gateway if you're using UniFi or Streamyx.
Asus: tbd
DLink: tbd
TPlink: tbd
Apple: tbd
Ubiquiti:
DD-WRT:
Open-WRT:

Other Forms of Amplification Attacks:
NTP UDP 123
SNMP

This post has been edited by soonwai: Feb 21 2017, 02:02 AM

not sure is it the same, but experience it before year ago.

https://forum.lowyat.net/index.php?showtopic=3379020

I am using RB2011UiAS-2HnD

For this issue, i use command as below



Basically it will drop all DNS request except from LAN

This post has been edited by royal_jelly: Feb 4 2016, 12:56 AM

Looks like the same thing. DNS amplification has been around for some time now. Still quite popular probably because many routers are vulnerable to it.

OpenWRT might victim of DNS amplification if didn't configure correctly

Me too!

Mine is quite similar but mine is just to drop from pppoe interface.



This post has been edited by soonwai: Feb 4 2016, 03:45 PM

how about tomato firmware?

I'm not sure about default config of either OpenWRT or Tomato. But I'm sure it's not a problem to lock both down.

The default OpenWRT dnsmasq shouldn't be "listen" to DNS WAN request, but sometimes there is bug/mistakes need attention of the user.

I'm using OpenWRT on 1043ND, currently port scan on 53 shows 'timed out/no service'
This means that all should be good right?

Yep, that's good.

You can also test using http://openresolver.com/

or just do this from the WAN:

dig @your.router.ip.address bbc.com

The dig will fail if your DNS is not running on the WAN side.

Okay, it seems like no problems. Thanks for the help!