DDoS Attack blocking my Own users - How to fix Users

kashifzai86 · May 30, 2021, 12:04pm

Hello All.

I have implemented DDoS Rule quite long time, by using this thread https://help.mikrotik.com/docs/pages/viewpage.action?pageId=28606504

But from few days I’m monitoring that some of my users IP are listing within “DDoS Attackers List” (see attached file for reference) i.e. IP Range with 172.16.x.x. So I disable this rule from IP Firewall → RAW Tab ( just now) so that users can still use internet.

Question:- I need to know is there any way that I can fix this issue originating from user END?? or Is there any way I would make a rule or any script so that my user having 172.16.x.x ragne never fall in DDoS attacker List??

Please suggest, if any workaround solution is there??
pic 11.JPG

anav · May 30, 2021, 1:00pm

The more important question is why are your users getting caught by your rules.
Suggest the rules need adjusting !!!
If all a hacker needs to do is mimic a WANIP address…

DarkNate · May 30, 2021, 1:03pm

Change in-interface-list to WAN instead to only detect from inbound traffic.

johnson73 · May 30, 2021, 1:51pm

if you use default rules, you copy these policies before the last “drop input” rule

add action=jump chain=input comment="Dos protect" connection-state=new \
    jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,42,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address=192.168.88.1
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    1w10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w10m chain=detect-ddos
/ip firewall raw
add action=drop chain=prerouting comment=DDos dst-address-list=ddosed src-address-list=ddoser

kashifzai86 · May 30, 2021, 3:21pm

Hmmm… Sounds Good… Will do and then see Whats happen