Hi
I have a network with servers which are not correctly configured, and time to time are used for this kind of attack, unfortunately I do not have access to configure them correctly. I have only Mikrotik router which I able to configure , in the middle , between internet and this servers .
Idea:
make FW rule which compare incoming and outgoing traffic per session for UDP port 53 connection , and if outgoing amount of data in 1.5 bigger then incoming , place source address in drop list.
Question :
how to write this rule ?