2 nights in a row we got hammered for about 30 minutes with enough traffic to shut us down. Unfortunatly it happened when I was not available to monitor what was happening. Since then I’ve implemented some new firewall rules and have been watching but no further attacks have come in. I’m wondering if I am protected enough. Based on information I found here I wrote the following rules, I’m seeing a ton of addresses being adding to the DDOS Attackers and DDOS Victims address lists. In a 10 minute period I have about 2000 in the attackers list and about 1500 in my victims list. The odd thing is the vast majority of the Victims are addresses that I own and are routed to me, but are not currently in use or even in my router at this point. There’s about 500kbps of constant traffic involving these IPs. A quick glance with Torch and most of the traffic is destined to many different ports, but I see a lot of 445, 33331, 3389, 1433, 80, 161, 4444. So is the following rules enough? Any advice?
add action=add-src-to-address-list address-list=“DDOS Router”
address-list-timeout=1d chain=input comment=
“Add DDOS Router Attackers to Address List” connection-limit=10,32
disabled=no protocol=tcp
add action=tarpit chain=input comment=“Tarpit DDOS Attacks on Router”
connection-limit=3,32 disabled=no protocol=tcp src-address-list=
“DDOS Router”
add action=drop chain=input comment=“Drop invalid connections to Router”
connection-state=invalid disabled=no
add action=jump chain=forward comment=“Jump New Connections to DDOS Chain”
connection-state=new disabled=no jump-target=DDOS
add action=return chain=DDOS comment=
“Limit New IP to IP Connections to 50/sec” connection-state=new disabled=
no dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=“DDOS Victims”
address-list-timeout=10m chain=DDOS comment=
“Add DDOS Victims to Address List” disabled=no
add action=add-src-to-address-list address-list=“DDOS Attackers”
address-list-timeout=10m chain=DDOS comment=
“Add Attackers to Address List” disabled=no
add action=tarpit chain=forward comment=
“Tarpit New TCP Connections from DDOS” connection-state=new disabled=no
dst-address-list=“DDOS Victims” protocol=tcp src-address-list=
“DDOS Attackers”
add action=drop chain=forward comment=“Drop all other DDOS Connections”
connection-state=new disabled=no dst-address-list=“DDOS Victims”
src-address-list=“DDOS Attackers”
Looks like you’re being attacked by T50. Is impossible to find the attacker. To block the DOS attack of T50 is very dificult, because is use many protocols at the same time to send attack. This attack is so powerful and effective that denied of service fo twitter and facebook last year, using 1,7 Gbits 
Only managed to defend this attack using IPCop (linux distribution), every attempt I tried with Mikrotik were unsuccessful. Well, If you get something with mikrotik let me know.
Pls, give some details about IPcop’s config. May be, I can adapt it to iptables/ubuntu, which I use as an upstream proxy for my MT’s.
You might have something on your network causing you to get ddos’d. Like an IRC server or hacked something. Look for things to clean up in your yard to prevent being a target.
Hard to keep up with when your an ISP. Lots of people doing who knows what…
Question, this may be one of these top secret don’t ask publicly kind of things, but if I wanted to simulate an attack on my system to see how it holds up, how would I go about that? Are there reputable companies that offer services like that?
Action “Tarpit” is useful against DoS, but not so much against DDoS, since it will keep opening connections from new machines (infected unsuscpecting PCs), like cutting heads of a dragon, just new ones will pop up.
Better not waste resources of your router, and use action drop, and enable tcp-syn-cookie. Also work with your upstream provider if the traffic is too much to handle.