I have opened support ticket a few weeks ago ([Ticket#2011090366000021] 'dst-limit' matcher):
From my observations, RouterOS upto v5.6 is still confused with 'Expire' value of 'dst-limit' matcher in firewall.
When using default value of "100.00" in WinBox, it's shown as "1m40s" in Terminal, and is actually ten seconds. It follows from iptables manual that expire value is in hundreds of milliseconds, so WinBox's "100.00" means actually "100.00 x 100ms", i.e. 10s. Please fix =)
Also, 'dst-limit' matches first 'Burst' packets (as it should be) plus one, and then skips packets for the first second. So if you have Rate=10 and Burst=50, and you start to flood packets, the rule will match 51 packets, and on 52nd packet it won't match until 1sec passes. Then it will match 10 more packets. Could you please change ths behaviour so that it will be more obvious: in first second rule should match 'Burst + Rate' packets, and then stop matching until one second passes.
Trying to make RouterOS even better =)
I still have only automatic reply...
so, try to change your "dst-limit=1000,0," to "dst-limit=1000,1000,"
actually, 1000 is way too much, look at my topic http://forum.mikrotik.com/viewtopic.php?f=2&t=54607
Russian-speaking forum: https://forum.mikrotik.by/
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.