Unfinished and untested.

These rules can be modified for many botnet situations.

Logging can be added if needed.

The order of rules in your firewall is important. Move these rules to an appropriate place in your firewall order.

Here we see a botnet using UDP port 30837, so we create a permanent blacklist and drop all packets.

• We can disable the rules later
• We can modify these rules for the next attack
• Or we can keep or delete the blacklist and rules later

/ip firewall filter

add chain=input comment="Drop Blacklisted Botnet Attackers for 10 Days" src-address-list=botnet_blacklist \
action=drop disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage3 \
action=add-src-to-address-list address-list=botnet_blacklist address-list-timeout=10d  disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage2 \
action=add-src-to-address-list address-list=botnet_stage3 address-list-timeout=1m disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage1 \
action=add-src-to-address-list address-list=botnet_stage2 address-list-timeout=1m disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new action=add-src-to-address-list \
address-list=botnet_stage1 address-list-timeout=1m  disabled=no

• Since botnet traffic generally comes slowly from many different hosts, you might have to adjust the address-list-timeout to a longer period in the “stage” rules to catch more attackers
• You might omit the address-list-timeout from the “stage3” rule to make the blacklist entry permanent.

If you feel the need, you can then allow connections not previously blocked. If all you are doing is building a blacklist, omit this rule:

add chain=input comment="Accept botnet traffic not previously blocked" protocol=udp dst-port=30837 \
connection-state=new action=accept