I thought that was obvious, so I now have added to the first post:
“This is only needed if you have one or more port open to internet.”
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
DDoS protection normally cannot be done at home, not because the router does not have enough CPU power, but because the line does not have enough capacity.
Typical home lines of 100-1000 Mbit/s are completely saturated by a typical DDoS attack, and no amount of filtering at the home side of the line will help.
But: be careful with the generic method of “put anyone who tries portscanning me on a blocklist”, I have quite some experience with that and I have regularly seen spoofed packets e.g. a TELNET from 8.8.8.8 to your address, then you block 8.8.8.8 and when that happens to be your DNS service you DoS yourself.
(similar for other wellknown services like 1.1.1.1)
This is especially bad when you filter in the “raw” chain, rather than in the forward/input chains after an “accept established/related” rule.
Too funny, that is a good one…
Well we can all point fingers at who recommended that firewall list thing !!!
I have used tn several routers for many year, and never have had any problem. Yes you can spoofe and IP, and yes you can do DDoS.
Best ting to do is to not have internett at all 
PS original Idea are not mine, just added more stuff to it like the tarpit, logging etc.
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
On one test site I do run Cowrie (a honeypot server). There its easy to see that all that hits SSH and Telnet port are not humans, but scripts that do the same all over.
- Search for open ports
- Find a suitable open server with weak password.
- Download a script/bin file that work for the current os (x86/arm/arc/mips etc)
- Try to run the script and install a botnet on your host
This happens 200+ times a day.
So if you have an open port 443/22/21, you need to protect your self. If not some one will enter and abuse your system in one way or another.
God password, patching/update your server, limit who can access (if that is possible), and port blocking.
By logging all that one IP tries, you can see that portscan of some or in worst case all port are part of the attack.
I also do see that many blocks IP form Russia and China, but the are small in number compare to US.
Percent country IP blocked last 7 days.
- 10.3% Philippines
- 9.8 % South Africa
- 8.2% USA
- 6.9% India
.
.
x. 2.0% China
.
.
Here are just the latest SSH/Telnet attack.
.
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
Well, I only mention it because I have a similar autoblock system, and at some point I suddenly noticed 8.8.8.8 was blocked and I started logging the traffic that caused blocks to see why that happened. Then I saw it happen for 1.1.1.1 as well.
It is not a DDoS. It is just some practical jokers who found that they can make people DoS themselves.
My internet network is a /16 so probably I catch way more junk than you do. But I do not have ports like telnet or ssh open to internet anyway.