Community discussions

MikroTik App
just joined
Topic Author
Posts: 1
Joined: Fri May 29, 2020 11:33 pm

DDos protection

Fri May 29, 2020 11:46 pm


we have ESXi and deployed almost 100 VM for clients, we are using a Mikrotik as a gateway to control suspicious traffic from clients.
so we had a lot of spammers and botnet abuses which made some troubles, we want to stop those guys.
I have used this guide to run DDoS protection, at the middle of this guide says " One may want also add some exceptions (like DNS servers - it won't be good if they will be blocked)", but how can I make an exception for DNS servers? I would like to add and to exception, should I do like this?
add chain=detect-ddos src-address= action=return
add chain=detect-ddos src-address= action=return
instead of:
add chain=detect-ddos src-address= action=return

Also, do you have any suggestion that how can we stop SMTP spammers? I don't want to block SMTP ports, but something smarter to detect who is using this port abnormally!
User avatar
Forum Veteran
Forum Veteran
Posts: 716
Joined: Wed Mar 25, 2020 4:04 am

Re: DDos protection

Sat May 30, 2020 12:05 pm

Add also the dst-address of the said DNS servers, ie. accept those packets.
In the firewall the order of the rules (ie. the rank, position) is important, ie. what comes at what position in what order.
Another important point is whether you drop in the last rule of the input/output/forward chains all the unwanted rest of packets.

Regarding SMTP: use a tool like fail2ban on the email server(s). See
But it is unclear what you mean by "spammers". Do you mean their login attempts? Or do you mean they already use your server for sending out spam, or do you mean the spam received? For the latter case you can use spamassassin (spamd, spamc) for spam filtering -->
User avatar
Member Candidate
Member Candidate
Posts: 295
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: DDos protection

Sat May 30, 2020 1:15 pm

You should also drop traffic on your LAN-side (so "forward" chain, interface depending on your model & topology) that is not originated from the effective IP address of the VM/Client itself!
So at least you try to stop facilitating "spoofed" traffic towards the internet!
Normally if you run a PPPoE server there is something like "Unicast Reverse Path Forwarding" but I think the RouterOS implementation is not fully OK (there are some posts in the forum on this)
In your case your clients are "LAN-side" and I'm not sure if this would be applicable.

What services do you offer to your customers ? SMTP-relay ? Or can they go out to Internet, do spamming and get your (public) ranges blocked due to bad reputation etc?

You could set some "limits" on certain types of traffic, eg DNS-traffic but you need to know your baseline a bit before you start turning knobs ;-)
User avatar
Forum Veteran
Forum Veteran
Posts: 716
Joined: Wed Mar 25, 2020 4:04 am

Re: DDos protection

Sat May 30, 2020 1:36 pm

@jay22, do you have a legal Terms of Service (ToS) agreement / contract with your clients?
Therein you make them liable for any damages, for the extra-work, and for all the unnecessary headaches they cause :-)

Some tips for such a ToS:
- Disclose the rules and restrictions that your clients (incl. their users using your services) must adhere to
- Maintain your right to terminate abusive clients
- Make your copyright, trademark and intellectual property rights known
- Limit your liability
- Disclaim warranties

For example, most hosters ask for a fee which the client has to pay for each Abuse Report (AR) they get and have to process, for example if one sends out spam, or is involved in hacking attempts like doing extensive portscanning, or trying to illegally login to servers, doing/participating in DoS/DDoS activities etc...
Forum Guru
Forum Guru
Posts: 4622
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: DDos protection

Sat May 30, 2020 4:35 pm

Hi Jay22
I am not familiar with DDOS, but the reading I have done states that it is an attack on ones networks by groups of computers (botnets) that have been compromised.
Can you clarify if
a. you are suffering DDOS attacks (in which case your ISP will be the primary vehicle of protection - single routers cannot handle it)
b. your network has been infiltrated such that your are the SOURCE of DDOS attacks to other places on the internet (and possibly causing your WANIP to be blacklisted or your ISP to shut you down).

It seems the latter case is your description while the title of your thread suggest a. !
Did you mean Preventing PCs/VMs from Becoming Zombies ??? as jvangoodbelgiumham is pointing too?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: eworm, saltynomad and 62 guests