0

I have VPN with two routers (ZyXEL) connecter in different places. It worked fine until yesterday, both routers have high outgoing traffic (maximum from provider).

In Port statistics I can see, that LAN traffic is very low, just WAN is about 10Mbps (especially Tx). VPN and internet connection is overburdened.

Port statistics - 1: WAN, 4: LAN

What can be cause of this problem? What I should check?

Francis
  • 101
  • 2
  • For clarification, your issue is slow WAN (and hence the VPN) throughput? – Joe Feb 08 '16 at 21:06
  • It is no slow, but fully busy (especially upload). But provider checked the connection and point out to high upload traffic (105%). How is possible that WAN port have so high traffic when LAN port is almost vacant? – Francis Feb 08 '16 at 21:27
  • And it sounds like its only egress traffic from the ZyXEL. You'll have to capture the traffic to see the nature of the traffic. Check to see whether the firewall you have can capture and export to a pcap file, then deep-dive with wireshark. Just curious, do you see the same traffic when connecting (say) a Laptop directly to the ISP – Joe Feb 08 '16 at 21:34
  • 1
    It could be an attack on the router coming from the Internet. Your router may be being used to attack someone else too. – David Schwartz Feb 08 '16 at 21:45
  • There seem to be [quite a few](http://www.cvedetails.com/vulnerability-list.php?vendor_id=859&product_id=0&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=58&sha=97388bc7f8623aca7de8f33de8a9fb4c4752c13e) Zyxel vulnerabilities out there. Are you up-to-date on your firmware? – EEAA Feb 08 '16 at 21:50
  • I tried Traffic Statistics, but I see more data on LAN, but higher traffic is still on WAN port [link](https://ctrlv.cz/02Or). I see higher traffic in port statistics, but normal traffic in Traffic statistics – Francis Feb 08 '16 at 21:53
  • Finally, problem was DDoS attack, I had lot of requests to DNS (port 53). I blocked it in firewall (WAN to ZyWALL) and now it's working fine. Is it right procedure? Or should I do something else? Thank you for your previous comments! – Francis Feb 09 '16 at 16:46

0 Answers0