Today my ping on mikrotik routerboard growed up to 350ms and CPU load to 100%.
After adding this 2 firewall rules problem was eleminated. Will be usefull to block this attack using Mikrotik DNS Server.
/ip firewall filter add action=add-src-to-address-list address-list=“dns flood” address-list-timeout=1h chain=input dst-port=53 in-interface=ether1_WAN protocol=udp
/ip firewall filter add action=drop chain=input dst-port=53 in-interface=ether1_WAN protocol=udp src-address-list=“dns flood”
Unless I am mistaken, your first rule will add all addresses that make DNS requests on ether1_WAN. There doesn’t seen to be any metering. Therefore, it would be simpler to just drop all requests on port 53. Either way, you have completely removed your ability to host DNS services behind your firewall.
Sent from my LG-D800 using Tapatalk
To speed-up things you do not need to create address list as router checks if to add or not to add the src addr to the list and then checks the list in the second rule. Just drop the incoming traffic to the port 53 on WAN.
I have read that some clients switch to TCP from UDP when 53 over UDP has no effect so you can add the rule for dropping incoming TCP 53 port traffic.
Drop port 53 udp from wan and tarpit tcp.
Easy to do but first you need to take care of those dynamic IP addresses… You can use them dynamically but you will have to go in to both mikrotiks each time they change and update the info for the VPN tunnel. I went the free route to take care of this issue for me. Check out no-ip.com and get yourself a free DNS associated with your dynamic IPs.
http://www.pass-4sure.us
Tunnels really are simple. Look on Youtube through Greg Sowells mikrotik videos, he has some easy tutorials.