Blocked IP in Firewall Filter, Raw, NAT but still getting packets and connections from it

RouterOS Beginner Basics
1

Hello,

I wanted to make ddos protection for my router by detecting ip of ddoser and block that ip from sending any type of connection and traffic to router.
I tried to block all connections from it with this simple filter and raw rules:

IP>Firewall>Raw rule:

/ip firewall raw add chain=prerouting src-address-list=ddoser action=drop

IP>Firewall>Filter rule:

[code]/ip firewall filter add chain=forward src-address-list=ddoser action=drop

IP>Firewall>NAT rule:

/ip firewall nat add action=dst-nat chain=dstnat dst-port=22 to-addresses=192.168.88.20 to-ports=22

I have all service ports blocked so I wouldn’t say that is a problem.

I asked my friend to start test ddos attack, router blocked the connection, and there was no conencted ip in connections list, but my ether1 and pppoe-out1 interfaces were completely loaded due to the ddos ​​attack. I tried torching my pppoe-out1 interface (I get internet access and public ip from it) with collect boxes all checked. I saw that everyconnection it sends gets accepted. I don’t know how is this possible, but I will be grateful for any type of tip. Please sorry for my bad English, I used google translate… Also I’m begginer and don’t know much about mikrotik. Thanks in advice.

2

Three things to check or keep in mind:

  1. the address list ddoser has to be populated somehow. Your configuration pseudo-code doesn’t show how/if that’s done.
  2. IPv6 firewall is completely separate from IPv4 firewall … that includes address list(s)
  3. DDOS attack can’t be fully remedied by your firewall. Even if your firewall does block/discard ingress packets without replying to them, you can’t block those ingress packets from using up your uplink. Only upstream router/firewall (probably operated by your ISP) can do that
3

In short,
a. Drop the idea that your router will save you, if the ISP cannot, you are SCREWED. :slight_smile:
b. Simplify - Drop all at the end of input and forward chains (on input chain ensure you have admin access rule in place from the LAN first )
c. Dont run servers on your network to avoid attracting unwanted attention and if you do
a. ensure they are password protected
b. ensure they are encrypted connections
c. ensure they are limited to specific external wanips.