I'm experimenting with the wiki example at http://wiki.mikrotik.com/wiki/DoS_attack_protection
I've never been attacked but I'm trying to keep it that way. We are an ISP with about 1500 current customers, many of which have email servers and web servers that they run. So when I plugged in the default limit of 400 the logs went crazy! Even at 2000 some of my customers were exheeding that. So a couple of questions. Should that be normal traffic or do these customers have some issues?
Also if I set it at say 3000 so their traffic remains the same and the logs doin't show any exhesive connections, is that to high to protect from an attack? I'm using an RB1100ahx2 as my main router. I'm not trying to protect customers, I'm trying to protect infrastructure so if one customer gets attacked we don't all go down. Am I going about this the right way?