Good idea (raw table) , and I will do it. But as I wrote when problem occurs in one second console and winbox become unavailable. And I think connections number it’s not a problem, please look at attachments. Today somethings happen right before 2 pm. I see disconnected client in log, and holes in graph. And right after in logfile happens information about block ddos - up to 5 pm. And only at beginning something wrong was with router - after first shock it can handle all connections without any problems.
And at least - when I catch problem “on live” conntrack never was too big. That’s why I’m looking at order of rules in antiddos chains.
Chupaka, right after my last post I move rule:
chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed log=no log-prefix=""
before address list checking. And I did the same with connlimits chain. From this time I had 10 connlimit and 11 ddos actions - maybe it’s coincident, or attacks wasn’t so big, but I haven’t any problems with router. As I say before I think there is some internal problem with address list and lot of connections in a short time.
Some packets stats (only with syn flag) after my changes:
connlimit - drop actions - 232k
connlimit - add to block list - 11
antiddos - drop actions - 5k
atiddos - add to doser/dosed - 6.
So I think it’s better to permanent block some host, and check it once a time than checking it with any packed. It shouldn’t be a huge problem, but as I say I think there is some performance problem with address list.