... my question is does that mean that the default firewall rules in mikrotik is not enough, and we have to add another rules..? or we have to replace it..?
Default firewall (where it exists, high-end devices come without one) is pretty secure, it defaults to (weirdly implemented) drop everything else concept (which is the secure way to do it). However, since default firewall setup relies on connection tracking doing its job, it is also quite resource demanding. In normal situation one can not really live without connection tracking (NAT requires it), so for normal operation this is not a problem.
But: DDoS hits connection tracking pretty hard because router is flooded with packets all claiming a new connection. And thus router "dies". So DDoS mitigation is needed. On SOHO router one can add RAW firewall rules which will drop incoming packets, part of DDoS attack, before hitting connection tracking machinery. The remaining issue is consumption of uplink bandwidth ... and that can only be solved upstream (i.e. on ISP's routers/firewalls).
And yes, your friend is right: if one starts to mess with default firewall setup and he's not up to the task (ROS learning curve is pretty steep from beginning), then chances of f***g up something are pretty high.