In RouterOS Wiki:
http://wiki.mikrotik.com/wiki/DoS_attack_protection
SYN filtering
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new
action=jump jump-target=SYN-Protect comment=“SYN Flood protect” disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new
action=accept comment=“” disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new
action=drop comment=“” disabled=no
I have found that if the limit is 400, or 4000, or 10000, no matter, there is always some connection to the last rule “Drop” (few packets)
But, Why?? The pps is well below the limit.
I think what the logic in the Wiki on the two Syn-Protect chain rules connection-state=new is redundant maybe for security’s sake? If that new connection syn packet ends up in that chain is because it already matched those conditions…
Try this code to see if there’s any difference:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn
action=drop comment="" disabled=no
- First rule will “send” all connection-state=new tcp connection syn packets to the Syn-Protect chain
- Second rule (first in Syn-Protect) will match letting new connections pass unless its rate surpasses 400 per 5sec,
- in such case those new connections will go to the second rule, being dropped.
However maybe the “mismatch” comes from re-connections or something, as connection-state=new is ROS firewall specific and has nothing to do with TCP state (it considers a connection-state=new once the first packet traverses the router, be it tcp, udp or any other stateless protocol).