At least all user must enable IP Spoofing block, near all DDoS attack use that vulnerability.
Today I discover that what I took for sure (set loose), for my disbelief for default are disabled…
/ip settings rp-filter default is no
Must be set at least to loose
http://forum.mikrotik.com/t/cant-reach-winbox-if-dual-wan-in-failover-mode/150556/1
the strict option must be necessary only on ISP border router
The default firewall, if not set for drop spoofing, permit crafted packet from LAN to WAN…