====== So Your Mikrotik Firewall is Under Attack ======

FIXME Unfinished and untested.

:!: These rules can be modified for many botnet situations.

:!: Logging can be added if needed.

:!: The order of rules in your firewall is important.  Move these rules to an appropriate place in your firewall order.

:!: Consider disabling or deleting these rules after the attacks have subsided to keep from polluting your firewall rule set.

===== Port-Based Solution (may not be ideal) =====

==== Botnet - UDP Port 30837 ====

Here we see a botnet using UDP port 30837, so we create a permanent blacklist and drop all packets.

  * We can disable the rules later
  * We can modify these rules for the next attack 
  * Or we can keep or delete the blacklist and rules later 

<file>
/ip firewall filter

add chain=input comment="Drop Blacklisted Botnet Attackers for 10 Days" src-address-list=botnet_blacklist \
action=drop disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage3 \
action=add-src-to-address-list address-list=botnet_blacklist address-list-timeout=10d  disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage2 \
action=add-src-to-address-list address-list=botnet_stage3 address-list-timeout=1m disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage1 \
action=add-src-to-address-list address-list=botnet_stage2 address-list-timeout=1m disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new action=add-src-to-address-list \
address-list=botnet_stage1 address-list-timeout=1m  disabled=no
</file>

  * Since botnet traffic generally comes slowly from many different hosts, you might have to adjust the ''address-list-timeout'' to a longer period in the "stage" rules to catch more attackers
  * You might omit the ''address-list-timeout'' from the "stage3" rule to make the blacklist entry permanent.

If you feel the need, you can then allow connections not previously blocked.  If all you are doing is building a blacklist, omit this rule:

<file>
add chain=input comment="Accept botnet traffic not previously blocked" protocol=udp dst-port=30837 \
connection-state=new action=accept
</file>

===== Detection Based Solution =====

http://forum.mikrotik.com/viewtopic.php?f=2&t=54607&p=278189

http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking

:!: This sample rule set is on the ''forward'' chain.  For traffic destined for router, you would have to use the ''input'' chain.

:!: This rule set uses ''ether1'' as WAN (Internet) connection.

:!: You can also easily exclude (whitelist) certain hosts.  See [[http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking|DDoS_Detection_and_Blocking]].

This example dynamically creates two address lists: attackers (''ddos-source'') and attacked hosts (''ddos-target''), and blocks packets from the former to the latter.

<file>
/ip firewall filter

  add chain=forward action=jump connection-state=new in-interface=ether1 jump-target=detect-ddos \
  comment="Detect DDoS Attack"
    
  add chain=detect-ddos action=return dst-limit=50,100,src-and-dst-addresses/10s \
  comment="Detect DDoS Attack - 1"
      
  add chain=detect-ddos action=add-dst-to-address-list address-list=ddos-target address-list-timeout=1w \
  comment="Detect DDoS Attack - 2"
    
  add chain=detect-ddos action=add-src-to-address-list address-list=ddos-source address-list-timeout=1w \
  comment="Detect DDoS Attack - 3"
    
  add chain=forward action=drop connection-state=new dst-address-list=ddos-target \
  src-address-list=ddos-source comment="Drop DDoS Attackers"
</file>

**Q:** Is there way to make the rule less sensitive? When I browse to my web server, Firefox hangs and retries too many times and I'm flagged as a ''ddos-source''.

**A:** ''dst-limit=32,32'' is what you're looking for. try to change it to ''dst-limit=32,256'' for higher burst.