General • Help! Simple question? Blocking internal rogue IP?

HI all,
I manage a small network for a non-profit and this evening they lost connectivity.
Upon further inspection both the primary DNS (their ISP) and the secondary DNS (8.8.8. are showing up on the DDOS blocked list based on my firewall rules in the Mikrotik router. I've never seen the DNS IPs show up there before and it's been years.
Looking at 'connections' in the firewall I see that a rogue IP 192.168.100.10 is doing a lot of talking (or something) with both DNS servers. I say it's rogue because my network is all 10.0.0.x.
Not sure how to find the rogue device so I figured it would be easy to block it from the network entirely, especially since it's not actually a part of our IP range or subnet. But, upon trying various things based on Googling (mostly firewall rules to drop the traffic) I'm not able to stop this from happening so they are still completely down
What can I do? Any help would be much appreciated as they are obviously not very happy.
Btw, the network is super simple.. just router to central switch and then out to users, nothing fancy at all and nothing has been changed for a long time.
Help!!!
Thanks in advance,
Dan

Statistics: Posted by danriis — Tue Mar 05, 2024 1:03 pm

---