hi,
I want to setup a DDOS firewall filter rule.
The rule should allow 30 connections per IP address but in a specific time range. lets say 30 new connections for 10 seconds, if they exceed that the offending IP addresses should be blocked(added to src-address list).
I know how to use the connection limit in the firewall filter rules but I want to add a time option.
im seeing on the forum some rules but I dont understand fully the limit option
could someone help explain these options:
dst-limit=50,50,src-and-dst-addresses/10s
limit=400,5
In the wiki I found a smtp spam protection which blocks users for one day;
http://wiki.mikrotik.com/wiki/How_to_autodetect_infected_or_spammer_users_and_temporary_block_the_SMTP_output
so I guess you need to change “address-list-timeout”
edit
So here is how I guess you should do it;
first add everyone who triggers your conditions to a a list for 10seconds
add action=add-src-to-address-list address-list=connection-limiter address-list-timeout=10s chain=forward comment="connection-limiter" connection-limit=30,32
then drop the ones that are on your list
add action=drop chain=forward src-address-list=connection-limiter
please post your results.