I have just extended my script this morning do something like with subnets.
http://forum.mikrotik.com/t/feature-request-blocking-a-special-kind-of-ddos/133917/15
Earlier in the thread I explain the other bits.
Update: using limit is much easier for you as long you use that β!β. 