My MT has beed attacted now
It camouflage from 1.X.X.X 200 IP connected to my MT
How I can stop it?
I did such operation
add chain=input protocol=tcp src-port=0-65535 dst-port=80 action=drop
comment=“” disabled=no
but it still connecting and established to my MT
who can help and give some advice to me? 
I add a notices
When the attack starting
The WAN link RX packet will arrive 15000~18000 packets/S
It will make the MT CPU hung to 100% and whole network down.
No body can help me?
Or no other way to handle such situation?
Put a firewall like
add chain=forward dst-port=80 action=drop
Then sequence those of your IP under the rule and before the rule.
Under the rule block 80 port connectivity to those IP which are under the firewall rule. And before the firewall rule are open.
Rafiq…
http://forum.linux.org.bd
I made it such as follow
add chain=forward src-address=10.127.0.0/16 action=accept comment=“”
disabled=no
add chain=forward src-address=192.168.0.0/24 action=accept comment=“”
disabled=no
add chain=forward src-address=0.0.0.0 dst-address=0.0.0.0 protocol=tcp
src-port=0-65535 dst-port=80 action=drop comment=“” disabled=no
But no any effect
No any packet be droped by this rule
If those attacks are coming to into your MT you are going to want to set the chain=input
Look at the bottom of this page on how to protect your MT…
I made it before(I saw it in viki 1 year agao)
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w comment=“NMAP FIN Stealth scan”
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w comment=“SYN/FIN scan”
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w comment=“SYN/RST scan”
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w comment=“FIN/PSH/URG scan”
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w comment=“ALL/ALL scan”
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w comment=“NMAP NULL scan”
add chain=input src-address-list=“port scanners” action=drop comment=“dropping port scanners” disabled=no
Same issue as before
You best bet is something like:
Make sure before you implement this you make sure your ip address is replaced with the one below
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment=“Drop invalid connection packets” disabled=no
add chain=input connection-state=established action=accept comment=“Allow established connections” disabled=no
add chain=input connection-state=related action=accept comment=“Allow related connections” disabled=no
add chain=input src-address=10.2.2.1 action=accept disabled=no
add chain=input action=drop comment=“” disabled=no
Thank your great support
I try it in my network now!
The hacker stop his action
So I need time to review the rule~~!
But, I must say Thank you for your reply