Unfinished and untested.

These rules can be modified for many botnet situations.

Logging can be added if needed.

The order of rules in your firewall is important. Move these rules to an appropriate place in your firewall order.

Consider disabling or deleting these rules after the attacks have subsided to keep from polluting your firewall rule set.

Here we see a botnet using UDP port 30837, so we create a permanent blacklist and drop all packets.

• We can disable the rules later
• We can modify these rules for the next attack
• Or we can keep or delete the blacklist and rules later

/ip firewall filter

add chain=input comment="Drop Blacklisted Botnet Attackers for 10 Days" src-address-list=botnet_blacklist \
action=drop disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage3 \
action=add-src-to-address-list address-list=botnet_blacklist address-list-timeout=10d  disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage2 \
action=add-src-to-address-list address-list=botnet_stage3 address-list-timeout=1m disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new src-address-list=botnet_stage1 \
action=add-src-to-address-list address-list=botnet_stage2 address-list-timeout=1m disabled=no

add chain=input protocol=udp dst-port=30837 connection-state=new action=add-src-to-address-list \
address-list=botnet_stage1 address-list-timeout=1m  disabled=no

• Since botnet traffic generally comes slowly from many different hosts, you might have to adjust the address-list-timeout to a longer period in the “stage” rules to catch more attackers
• You might omit the address-list-timeout from the “stage3” rule to make the blacklist entry permanent.

If you feel the need, you can then allow connections not previously blocked. If all you are doing is building a blacklist, omit this rule:

add chain=input comment="Accept botnet traffic not previously blocked" protocol=udp dst-port=30837 \
connection-state=new action=accept

http://forum.mikrotik.com/viewtopic.php?f=2&t=54607&p=278189

http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking

This rule set uses ether1 as WAN (Internet) connection.

This example dynamically creates two address lists: attackers (ddos-source) and attacked hosts (ddos-target), and blocks packets from the former to the latter.

/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m

/ip firewall filter

  add action=jump chain=forward connection-state=new in-interface=ether1 jump-target=detect-ddos \
  comment="Detect DDoS Attack"
    
  add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
  comment="Detect DDoS Attack"
      
  add action=add-dst-to-address-list chain=detect-ddos address-list=ddos-target address-list-timeout=1w \
  comment="Detect DDoS Attack"
    
  add action=add-src-to-address-list chain=detect-ddos address-list=ddos-source address-list-timeout=1w \
  comment="Detect DDoS Attack"
    
  add action=drop chain=forward connection-state=new dst-address-list=ddos-target \
  src-address-list=ddos-source comment="Detect DDoS Attack"

Q: Is there way to make the rule less sensitive? When I browse to my web server, Firefox hangs and retries too many times and I'm flagged as a ddos-source.

A: dst-limit=32,32 is what you're looking for. try to change it to dst-limit=32,256 for higher burst.