Team,

I know this should be easy but I have a cold today and things just are not working as they should. I am getting some random DoS attacks and I think just turning on ICMP and blocking outside ping should be the easiest fix. The Source IP is jumping all over the place so I really cant make an array. I have been looking over the twiki for a hour and not finding what I need. I am running version 6.4 on my MT. Appreciate any help you can give me. Also is what I am pulling from the logs about the DoS

Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=183.224.14.237 DST=173.10.26.96 LEN=40 TOS=00 PREC=0x20 TTL=33 ID=31758 PROTO=ICMP TYPE=13 CODE=0 2018/10/25 13:24:31 Notice
Firewall[242]: DoS Attack - ICMP Flooding IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=183.224.14.237 DST=173.10.26.96 LEN=96 TOS=00 PREC=0x20 TTL=48 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=49220 SEQ=22543 2018/10/25 13:24:25 Notice
Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=158.255.215.145 DST=173.10.26.110 LEN=40 TOS=00 PREC=0x20 TTL=25 ID=3123 PROTO=ICMP TYPE=13 CODE=0 2018/10/24 12:36:22 Notice
Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=213.183.56.106 DST=173.10.26.110 LEN=40 TOS=00 PREC=0x20 TTL=15 ID=29788 PROTO=ICMP TYPE=13 CODE=0 2018/10/24 12:06:12 Notice
Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=139.59.19.188 DST=173.10.26.110 LEN=40 TOS=00 PREC=0x20 TTL=34 ID=44589 CE PROTO=ICMP TYPE=13 CODE=0 2018/10/24 09:54:35 Notice
Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=159.65.198.141 DST=173.10.26.110 LEN=40 TOS=00 PREC=0x20 TTL=33 ID=15535 PROTO=ICMP TYPE=13 CODE=0 2018/10/24 09:05:06 Notice
Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=128.199.146.150 DST=173.10.26.110 LEN=40 TOS=00 PREC=0x20 TTL=39 ID=48997 CE PROTO=ICMP TYPE=13 CODE=0 2018/10/24 08:41:52 Notice

If you are just wanting to block ICMP packets, simply do just that. Something like this: Obviously you would have to edit this to have the in-interface = whatever your internet interface is (as opposed to my e1_internet).

incoming pings are common and do not necessarily mean it is DoS or DDoS. I have regularly
How do you recognize DoS attack? what are limits etc?

Also - what resource gets utilized most during the attack? Is it CPU? then dropping some packets might help but if it happens AFTER connection tracking (/ip firewall filter), it will still consume a lot of cpu. Only way to drop packets without consuming much cpu is using /ip firewall raw with chain=prerouting - that is the only ruleset which happens BEFORE connection tracking.
If the network is the most utilized resource, then dropping packets will not really help much because packets will still flow to you and utilize your network (possibly causing higher latency and packet loss)

Keep in mind, that if you block whole ICMP protocol, it might cause other issues (depends what kind of services you use)

In addition I would recommend to analyze it with /tool torch interface=YOUR_WAN_INTERFACE ip-protocol=icmp src-address=0.0.0.0/0 because that will show you how many kbps/pps belongs to each IP instead of neverending list of log entries

Thanks vecernik87 for the longer answer. My short answer was courtesy of needing to get to bed

icmp is needed and its not right to block all of them.

U can use some firewall filters in order to stop the attacks.

https://wiki.mikrotik.com/wiki/DDoS_Det ... d_Blocking