Hello , i am searching to protect from syn floods from spoof addresses since i bought routerboard CCR1036-12G-4S without any luck.
When syn attack comes to mikrotik after 50mbit (prox 5000pps/sec) cpu goes crazy and makes device unaccesible. I found some articles witch is block whole new reqests when syn attack comes. So it wont help becuse all network already unaccesible with that rules below :
http://wiki.mikrotik.com/wiki/DoS_attack_protection
Any advice appreciated 
have you tried to disable connection tracking for a short period of time?
all connections are then new after you reenable it.
connection tracking is in ip firewall
Try to analyze the TCP Packets, and search a scheme. Seems that the Packets are with len 0 or 1, then you can easy drop this. On my 1100 AH with 1,5 GB RAM i can block in this case 100k pps. But then is CPU @ 95%
I’ve found that this does not work.
http://wiki.mikrotik.com/wiki/DoS_attack_protection
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new
action=jump jump-target=SYN-Protect comment=“SYN Flood protect” disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new
action=accept comment=“” disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new
action=drop comment=“” disabled=no
The limit rule matches at anything over the 400,5. So low connections will be dropped!
The 2nd and 3rd rule need the action swapped.
Anyone agree?