I am running Routerboard 750UP router at my office and I received an email from my ISP about a DDOS attack and that I may be an open resolver.
I have some novice Mikrotik experience but this one is messing with me. Mostly this is occurring on port 53. Now I have done some research and “THINK” I may have done some good but I need someone to review my config to check my work.
Would anyone be interested in helping me out?
Thank You.
We had the same attack on 31th December last year on two different locations using port 53. If this is also a case with you then I suggest to check DNS settings. Do you have allow remote requests checked? If so, you need a firewall rule, that will drop all DNS requests comming from internet, but allow requests from internal network.
Something like:
/ip firewall filter
add action=drop chain=input comment="Drop DNS from Public" dst-port=53 in-interface=internet_interface protocol=tcp
add action=drop chain=input comment="Drop DNS from Public" dst-port=53 in-interface=internet_interface protocol=udp
Thank You!! I will give this a try. I do have remote requests checked. I will try this script and see how it goes.
Thanks Again, I will keep you apprised.
Hi, I had exactly the same email. Are you a KPN user from the Netherlands? 
If yes, these are the settings I have used. KPN confirmed that the problem is solved now.
add action=reject chain=input dst-port=53 in-interface=pppoe_interface protocol=tcp
add action=reject chain=input dst-port=53 in-interface=pppoe_interface protocol=udp
I don’t know if it is the best way to do it, but it works for me.