DoS attack protection
From MikroTik Wiki
DoS (Denial of Service) attack can cause overloading of router. Which means what CPU usage goes to 100% and router could be unreachable with timeouts.
Types
TCP SYN flood
More info: SYN flood.
Diagnose
Huge amount of received syn-sent tcp packets can be observed in firewall connection list.
/ip firewall connection print
/tool torch
Protection
- Limit incoming connections
Address with too much connections can be added to address list for futher blocking.
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \ action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d
where LIMIT is max. number of connection per IP.
- Action tarpid
Instead of simply droping attackers packets(action=drop) router can capture and hold connections and with enough powerfull router is can kill the attacker.
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit
- SYN filtering
- SYN cookies
More info: SYN cookies
/ip firewall connection tracking set tcp-syncookie=yes