Mikrotik DDoS Mitigation

This is how we mitigate (D)DoS attacks from interfering with our network.

First, we catch all new connections from the input chain and send them to dedicated firewall chain

This is done using the input chain and after all other rules, as we find it has less false positives than the forward chain:

/ip firewall filter
add chain=input connection-state=new action=jump jump-target=detect-ddos

In RouterOS, any single UDP packet is considered to be new connection by Connection Tracking in any Firewall section (except NAT) until the packet in opposite direction is sent

We then allow each “SrcIP:DstIP” pair some number of new connections:

/ip firewall filter
add chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s action=return

We don’t find we need to add any exceptions, however if you have issues with DNS servers or other connection that get blocked when they shouldn’t, make sure you add exceptions for them:

add chain=detect-ddos src-address=192.168.0.1 action=return

Because we only have one IP that we are protecting, and due to using preprocessing, we only store the ddoser:

/ip firewall filter
add chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m

To limit the impact on the router from intense DDoS attacks, we use the following rule:

/ip firewall raw
add chain=prerouting src-address-list=ddoser
action=drop