Hi jotne, care to send me an email and perhpas we can chat or at least type chat via skype or some other method…
Send me your mail on leroh22700@tingn.com
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below. 
Here is port scan over 6 month on a test router.
You can see scanning of ports goes in waves. Last week 16739 and 50093 new port that many IP tries to scan.
Graph shows port scan x100 with only unique IP pr day. So yesterday 12 000 IP tried port 16739 on the router.
.
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
Sent but no answer, confirm received?
Hmm temp email does not work. Try one more to this: fifexoh151@fandua.com
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
@Jotne… the mail is on the user forum profile…
I have not seen possible to get in contact with other using forum email, without posting it publicly. Private messages on the forum is turned off. PHPBB do supports it.
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
What I mean is @anav has wrote his mail on his user profile, just click on his name… 
Now also the signatures are disabled…
Remember that if only 1 BOT finds one open door (or hung with a tarpit) it can still be the cause of a DDoS attack.
Or DDoS attack start for no reason, no matter if previous scan attempt is done.
The problem of automatically adding an IP address to a list may just cause the router to crash due to running out of memory
due to too many IPs being added to the list in the event of a DDoS attack.
And now with IPv6…
The tarpit can also be counterproductive, because it causes connection initialization packets to be retransmitted continuosly for each connection under tarpit.
If are thousand of remote DDOSer remote packet retransmisson for tarpit can duplicate the attack…
Probably the classic drop-all-at-the-end is more suitable on DDoS attack if the bandwidth is sufficent or the ISP do his own work…
As ISP I have mitigation center.
If for some reason my network is under attack, the traffic instead of the usual 3ms latency go to 35/45ms because all is routed trough the cloudflare center than have power to filter any DDoS attack…
I can’t reveal other detail for N.D.A. but ask your ISP to use similar features…
So rextended can you say in conclusion that
using RAW or using TARPIT are actually useless in a REAL SCENARIO for DDOS attack?
So regardless of any particular router setup, one config is no better than another, is another way of saying it.
If we can agree on that, then lets ignore that scenario as it doesnt matter if we DO or we DO NOT implement jotnes schema.
So lets focus on kiddie hacker or something less than a botnet attack.
Is there space then, for Jotnes setup. In summary there is a subset of situations where the approach is viable (useful and effective without loading the router)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Let me put it in terms of understanding. 
So if drinking italian wine wont stop colon cancer but it will prevent pimples, should we drink it?
RAW can be useful only for block fixed address lists (no realtime, but upgradeables)
or fixed services if the device on LAN have Public IPs and is wanted to limit that services only from fixed external IP pools.
Tarpit can not be compared with RAW, is like compare apple with bottle.
We have that embedded in our backbone too (stays "local" with us). When customers order "lines" with us they can easily purchase volumetric/protocol/application DDoS protection.
Pricing is based on the capacity of their line.
We see some pretty big attacks over the last years. Rapidly increasing in power too!
No way you can deal with that as a customer with your "on prem" router 
Sometimes I think you are Sindy in disguise............. or his twin brother. SO OBTUSE and TECHNICAL........
Never giving me the answers I am looking for LOL
PS
It was never intention to make this as an DDoS prevention tools.
Small home routers do not have enough power to handle a big attack.
But if we can make this better, it may help more people.
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
So what are we preventing or improving upon with enough difference CPU, performance, customer experience, that the
add action=drop chain=input comment=“Drop all Else” rule, does not handle already adequately???
Simple answer.
If you try a port on my router, why the hell should you see any other stuff on my router.
Trying any port that are not open and you will be blocked for a set off time.
This will prevent the user/script from trying any other attack for that period.
This may be how a port scanner script work.
- Scan a range of port (or all) on a router.
- Make a list of the open ports.
- Use different tools for attacking the open port.
a. RDP
b. HTTP(s)
c. FTP
d. SSH
e. ohter - Entering and misuse the router or destroy it.
Why else do I see 1000-10000 different IP a day tries port that are not open on my router?
Port blocking are not the final solution to prevent attack, but may help just a some.
Other securing prevention are also needed…
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
Okay so we are saying there is enough fly by nite hackers that are not associated with botnets that ping off public IPs… that peaks your interest.
Again the question I have is…
So what are we preventing or improving upon with enough difference CPU, performance, customer experience, that the
add action=drop chain=input comment=“Drop all Else” rule, does not handle already adequately???
Both of you mix concept.
For example:
open port(s).
Where? On the RouterBOARD/RouterOS?
Is the simplified raw/pre → conn-track → mange/pre → dst-nat → routing → mangle/INPUT → filter/INPUT chain involved
Where? On one device inside the LAN?
Is the simplified raw/pre → conn-track → mange/pre → dst-nat → routing → mangle/FORWARD → filter/FORWARD chain involved
If on both chain drop-all-at-the-end is present, the rules for leave the ports open must declared BEFORE.
And a “scanner” can detect that ports open and call all the friend for the party attack.
Instead, if one is not so idiot to leave 80 open on RouterOS or on internal LAN, if some scanner try to open the port 80, it go directly on blacklist,
but that blaclist act directly on raw/prerouting, before both input and forward chain,
and this deprives the port scanner of the ability to see any open ports in tcp and udp, the ping, etc.
Meow…
Is a language I dont speak, but
If I had to guess and read between the meows, Rextended I think is saying if you dont have any open ports, the additional rules are not required.
So if one does have ports open LIKE MOST DO, and have a server going, are the additional rules at least helpful??
You know where I stand… MT produces a package for zero trust cloudflare tunnel for all devices and problem solved.
Voila!