For those experiencing increased pings and reduced upload speed but download speed (especially speedtest) seem mostly unaffected. Here's another possibility. That your router is being utilised as a zombie in an Amplification Attack.



The above is a Mikrotik RB951Ui-2HnD router being used as a zombie in a DNS Amplification Attack. Firewall rules were disabled and routed rebooted. About 36hrs later the router was acquired and the attack started. They're not attacking you. They're using you to DDOS someone else.

Symptoms
1) Blinking WAN light when no-one is using the internet
2) Increased pings
3) Slow upload but normal download speeds (from above you can see upload is maxed out)
4) Reboot solves the problem until hours or days later. (when the bad guys reacquires your new IP address)
5) Thousands of connections to port 53 DNS. If your router runs out of memory, it slow down or locks up eventually.
6) High CPU usage. Usually when this happens, your router web config page takes awhile to load.

If your router is powerful enough, you might not even notice it.

Solution is to lock down your router. At the very least deny access to port 53 DNS from WAN.
Ensure that your router has a good password or disable remote management.

Notes:
Stock TM router RG4332 - has port 53 opened to the WAN but is safe from DNS amplification attack as it's not a recursive DNS resolver. Not sure if this can be changed in router configuration page.
Mikrotik: Ensure that you have an input-chain-drop-filter for your WAN interface, pppoe-out1 not ether1-gateway if you're using UniFi or Streamyx.
Asus: tbd
DLink: tbd
TPlink: tbd
Apple: tbd
Ubiquiti:
DD-WRT:
Open-WRT:

Other Forms of Amplification Attacks:
NTP UDP 123
SNMP

This post has been edited by soonwai: Feb 21 2017, 02:02 AM

Looks like the same thing. DNS amplification has been around for some time now. Still quite popular probably because many routers are vulnerable to it.

Me too!

Mine is quite similar but mine is just to drop from pppoe interface.



This post has been edited by soonwai: Feb 4 2016, 03:45 PM

I'm not sure about default config of either OpenWRT or Tomato. But I'm sure it's not a problem to lock both down.

Yep, that's good.

You can also test using http://openresolver.com/

or just do this from the WAN:

dig @your.router.ip.address bbc.com

The dig will fail if your DNS is not running on the WAN side.