Hello,
At the moment I have a sort of TCP SYN flood coming to my router.
It is fairly easy to make a rules to detect and tarpit a flood, coming from the single IP (just according to the manual: http://wiki.mikrotik.com/wiki/DoS_attack_protection).
But what I should do, when attack comes from the different IP’s (probably, just proxyed), but MAC-address of the attacker remains always the same? I.e., how to construct the something like rule:
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32
action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d ,
but for MAC-addresses?
Thanks!
The mac address you see is probably the mac address of your gateway, so you really should not add it to the blacklist 
You can´t work with mac addresses over the internet, IPs are the way to go.
I’m pretty sure that this is different MAC, not any of my own. At least I can’t find any device in my network with that MAC, as well as gateway have a different MAC-address.
Firewall hit looks like:
Dropped input: in:ether1-gateway out:(none), src-mac AA:BB:CC:DD:EE:FF, proto TCP (SYN), 94.79.33.21:5093->123.456.789.100:22, len 52
Where AA:BB:CC:DD:EE:FF is (probably) attacker’s MAC (no any of my devices have that MAC-address) and 123.456.789.100 - my IP. Also I can’t see that MAC anywhere in the logs but related to that flood. I know it looks a bit strange.
Well, it seems you won´t believe what I say, so I think I can´t help you.
The mac address I am talking about is not one of yours but the gateway, so probably it is one address of your ISP.
You will also see it at IP > ARP.
Regardless if you believe or not what I told before, there are no MAC address lists.
Okay, now I got it, thanks.
It’s just a misunderstanding (and lack of knowledge from my side ), when you said “your gateway”, I’ve understand it as “your mikrotik device”, not the “your ISP gateway”. Yes, you right, it is really my ISP gateway, thanks for the clarification and way to check it.
Have a nice day!
I have the same problem. Could you please help me? I read the above and still can not understand how to resolve it.