Apparently the firewall filter dst-limit is still not fixed:
http://forum.mikrotik.com/viewtopic.php?f=2&t=17831
Theoretically you should be able to use it to accept connections up to 3000pps, and then create a rule directly after that to add any src-addresses to an address list.
firewall filter rules
/ip firewall filter
add action=accept chain=forward disabled=no dst-limit=3000,0,src-address/1m
add action=add-src-to-address-list address-list=over-3000-pps address-list-timeout=60s chain=forward disabled=no
Create a script that checks the address list for that particular name. If found, send email with all IP addresses:
# address list name
:local alist "over-3000-pps";
# create an array of all address list items with the name above
:local alistArray [ :toarray [ /ip firewall address-list find list=$alist ] ] ;
# get length of the array
:local alistArrayLen [ :len $alistArray ];
# if any items were found, continue
if ( $alistArrayLen > 0 ) do={
:local ipList "";
# loop through array of items
:for i from=0 to=( $alistArrayLen - 1 ) do={
# add the IP address of each item to the ipList variable, followed by new line (\n\r not tested)
:set ipList ( $ipList . [ /ip firewall address-list get [ :pick $alistArray $i ] address ] . "\n\r" );
}
# clear the address-list of all the over-3000-pps items
/ip firewall address-list remove numbers=[ find list=$alist ];
# send email with the list of IPs
/tool e-mail send to=email@domain.com subject="over 3000pps" body="$ipList"
}
Finally, schedule the script to run every X minutes. In the firewall rules above, the timeouts are at 1 minute, so you would want to change them to whatever you want.
But until dst-limit fixed... this won't work