DDoS Protection Firewall

phprush · September 9, 2023, 9:25am

Added firewall rule which got public domain

/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m

It blocking our network block ip how allow/ignore specific ip block

anav · September 9, 2023, 2:16pm

Waste of time, drop the silly crap, your MT router cannot stop DDOS attack, only upstream organizations can.

phprush · September 10, 2023, 3:52pm

How protect then our microtik’s ip from ddos

anav · September 10, 2023, 4:21pm

Not the responsibility of the homeower. Its either your ISP or their ISP that should handle DDOS.
Enterprise business and ISPs subsribe to own or third party large scale anti DDOS programs that attempt to stop the DDOS from spreading worldwide by containing as close to source as possible.

phprush · September 11, 2023, 9:49am

I have own ip address assigned to microtik not ISP
BGP over l2tp

Larsa · September 11, 2023, 10:17am

MikroTik and other manufacturers of regular routers typically don’t have built-in ability to stop DDoS attacks. To address this issue you need to utilize external services like Cloudflare, Google Cloud Armor and similar solutions.