Dear blog reader, few days back I have face a huge DNS Amplification/Reflection attack from Mikrotik (MT) router. The Attack has been organized from different source to different destination.
This attack also has been seen in different vendor router like d-link di-1705b, Buffalo,AirLive, Cisco(Cisco Systems, Inc. Firmware: 4608)
The Attack is possible because of MT router apply following tcp and udp packet filter destination port 53.
chain=input action=drop protocol=udp in-interface=ether1-WAN dst-port=53
chain=input action=drop protocol=tcp in-interface=ether1-WAN dst-port=53
Same rule can be maintain for other router to block and disable resolver.
Please Note: in-interface should be your WAN port.
How to check your IP is used as open resolver
#dig -t A jpudasaini.com.np @22.214.171.124
Note: Replace 126.96.36.199 with your IP address