How to protect your mikrotik router from DDoS Attacks – Basics

Distributed Denial of Service Attacks or DDoS is quite popular these days and it’s not hard to guess the the name of the originating country – China/Hong Kong tops the list of the attackers. Huh!

It has been a long time I’m working with mikrotik devices. So, it is not anything new for me. Guess what I faced DDoS first time in my home network. Trust me, it took my whole network down in minutes. So, just imagine what would happen to an enterprise network! Anyways, if you need to know more about it just google it and you will find a whole lot of article on it.

So, whenever you are configuring your mikrotik router for the first time it’s better if you configure the filter rules to prevent the attacks – “Prevention is better than cure!”

General Symptoms:

  • Full WAN uplink bandwidth utilisation even if no clients are connected to your router.
  • Extremely high  latency.
  • Several unknown IPs connected to your router’s public IP. [See this from the torch option and sort by Rx/Tx]
  • If you are curious enough and do some IP lookups you can see those IPs are of mainly CHINANET network. Beware!!

Some important tips:

  • Disable DNS if not required.
  • If DNS – Allow remote request is enabled, make sure appropriate filter rule is set to prevent incoming DNS attacks.
    add action=drop chain=input dst-port=53 protocol=udp
    add action=drop chain=input dst-port=53 protocol=tcp
  • Disable SSH, Telnet access if not required.
  • Change HTTP port to some other port other than port 80.

Solution (CLI Based):

/ip firewall filter
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos 
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser

So, what am I doing here? It’s not rocket science, simple filter logics! But before this you need to have the concept of DDoS – What, why, how! Thanks to Mikrotik’s Wiki and Router OS manual which helped me to figure it out.

  • First we will capture all the new connections made and pass them to a dedicated firewall chain.
  • Then for each source and destination IP address pair we will setup limit for number of packets per second (pps) and their reset timers and then passes control back to the chain from where the jump took place.
  • After we have the packets exceeding our predefined pps, we add their source to ‘ddoser’ and the target to ‘ddosed’ address lists.
  • Then we drop all packets flowing through the router if their IPs matches with the address list.

That’s it! We are good to go. But I will suggest your to talk with your upstream provider if you are facing these attacks very often as it is always a good idea too block DDoS at source. Also it increases our CPU usage if we don’t have a powerful router at our disposal…


Enjoyed this post? Share it!

  • Hi Srijit,
    I don’t know you but surely you helped me out from this mess.
    I searched a lot on net for the same and did R&D since last 3 days.
    Your post resolved it.
    Thanks a lot for sharing.


    • You are most welcome. Glad it helped you. 🙂

      • Hi, like to have help to do following
        Want to allow more speed for google products like youtube and G+ than regular speed defined on DMA radius server. Tried a lot but not found working solution. Kindly help in regards of the same.

  • Ummar Hussain

    informative too much bro!!!

  • Dave

    Will this detect DDOS attacks from an infected machine inside of my protected network?

    We appear to have a user on our network that is infected with a RAT. I am not sure yet who the user is but I want to make sure the RAT cannot do damage to other servers on the internet.

  • Wow This is just what I was looking for. Now if only I could find more useful rules like this that will work with both incoming and outgoing traffic.

  • Ka Siang

    Hi Srijit,

    Your solution provided is working, but having problem here.
    When I enable this rule, all the PC don’t have Internet connection, but the router has Internet connection.
    If I disable this rule, my download bandwidth is normal, but the Upload bandwidth is utilizing even nobody is using the upload bandwidth in my network.
    I assume this is DNS attack or ddos attack.
    Any solution?

    add action=drop chain=input dst-port=53 protocol=tcp