How to Prevent DDoS Attacks Using MikroTik
DDoS attacks attempt to disrupt normal traffic by overwhelming the target with a flood of Internet traffic. MikroTik routers offer powerful protection features that can stop most DDoS attacks when configured correctly. This guide provides practical protection strategies for network engineers managing MikroTik infrastructure. You will learn to implement both basic and advanced protection measures using RouterOS firewall features.
Table of Contents
Common DDoS Attack Types
Understanding attack types helps you choose the right protection strategy. DDoS attacks fall into three main categories:
Volume-Based Attacks
- UDP Floods: Overwhelm target with UDP packets
- ICMP Floods: Send excessive ping requests
- Spoofed Packet Floods: Use fake source addresses
Protocol Attacks
- SYN Floods: Exploit TCP handshake process
- Fragmented Packet Attacks: Send malformed packets
- ACK Floods: Send TCP ACK packets without connections
Application Layer Attacks
- HTTP Floods: Overwhelm web servers with requests
- DNS Amplification: Abuse DNS servers for traffic amplification
- NTP Amplification: Exploit NTP monlist command
MikroTik DDoS Protection Fundamentals
RouterOS provides several features for DDoS protection. Understanding these tools helps you build effective defenses.
Key Protection Features
- Connection Tracking: Monitors connection states and limits
- Address Lists: Dynamic IP blocking and allow-listing
- Rate Limiting: Controls packet flow rates
- Firewall Chains: Organized rule processing
Firewall Chain Structure
| Chain | Purpose | Traffic Direction |
|---|---|---|
| input | Protects router itself | To router |
| forward | Protects network clients | Through router |
| output | Controls router outgoing traffic | From router |
Basic Protection Configuration
Start with these essential protection rules. They provide immediate defense against common attack types.
Step 1: Basic Firewall Protection
/ip firewall filter add chain=input connection-state=invalid action=drop
/ip firewall filter add chain=forward connection-state=invalid action=drop# Allow established and related connections
/ip firewall filter add chain=input connection-state=established,related action=accept
/ip firewall filter add chain=forward connection-state=established,related action=accept
Step 2: SYN Flood Protection
/ip firewall filter add chain=input protocol=tcp connection-state=new \
src-address-list=!trusted-networks limit=25,5:packet action=accept# Block excessive SYN requests
/ip firewall filter add chain=input protocol=tcp connection-state=new \
src-address-list=!trusted-networks action=drop
Step 3: ICMP Flood Protection
/ip firewall filter add chain=input protocol=icmp limit=10,5:packet action=accept# Block excessive ICMP
/ip firewall filter add chain=input protocol=icmp action=drop
Step 4: UDP Flood Protection
/ip firewall filter add chain=input protocol=udp \
src-address-list=!trusted-networks limit=50,5:packet action=accept# Block excessive UDP traffic
/ip firewall filter add chain=input protocol=udp \
src-address-list=!trusted-networks action=drop
Advanced Protection Techniques
Advanced techniques provide dynamic protection that adapts to attack patterns. These methods detect and block attackers automatically.
Dynamic DDoS Detection
The official MikroTik documentation recommends using dst-limit with specific thresholds for DDoS detection. This configuration creates a detection chain that monitors traffic patterns.
/ip firewall filter add chain=forward connection-state=new \
action=jump jump-target=detect-ddos# Add detection rule with dst-limit
/ip firewall filter add chain=detect-ddos \
dst-limit=32,32,src-and-dst-addresses/10s action=return # Add attacker to blocklist
/ip firewall filter add chain=detect-ddos \
action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=1h# Block detected attackers
/ip firewall filter add chain=forward \
src-address-list=ddos-attackers action=drop
Connection Limit Protection
/ip firewall filter add chain=forward connection-state=new \
src-address-list=!trusted-networks \
limit=100,5:connection action=accept# Block excessive connections
/ip firewall filter add chain=forward connection-state=new \
src-address-list=!trusted-networks action=drop
Port-Specific Protection
/ip firewall filter add chain=forward protocol=tcp \
dst-port=80,443 connection-state=new \
limit=20,5:connection action=accept# Protect SSH access
/ip firewall filter add chain=input protocol=tcp \
dst-port=22 connection-state=new \
limit=3,5:connection action=accept
Protecting Specific Services
Different services require specific protection strategies. Here are configurations for common services.
DNS Server Protection
DNS servers are common targets for DDoS attacks and can be abused for amplification attacks. Protect your DNS service with these rules:
/ip firewall filter add chain=input protocol=udp dst-port=53 \
src-address-list=!local-networks action=drop# Limit DNS queries per source
/ip firewall filter add chain=input protocol=udp dst-port=53 \
src-address-list=local-networks limit=20,5:packet action=accept
Web Server Protection
/ip firewall filter add chain=forward protocol=tcp \
dst-port=80,443 connection-state=new \
action=jump jump-target=web-protection# Limit HTTP connections
/ip firewall filter add chain=web-protection \
limit=50,10:connection action=return# Block excessive HTTP requests
/ip firewall filter add chain=web-protection \
action=add-src-to-address-list address-list=web-attackers \
address-list-timeout=30m
Email Server Protection
/ip firewall filter add chain=input protocol=tcp \
dst-port=25,587 connection-state=new \
limit=10,5:connection action=accept# Protect IMAP/POP3 services
/ip firewall filter add chain=input protocol=tcp \
dst-port=110,143,993,995 connection-state=new \
limit=15,5:connection action=accept
Monitoring and Detection
Effective monitoring helps you detect attacks early and measure protection effectiveness.
Traffic Monitoring
/ip firewall connection print count-only where protocol=tcp# Check address list contents
/ip firewall address-list print where list=ddos-attackers# Monitor interface traffic
/interface monitor-traffic ether1 once
Logging Configuration
/ip firewall filter add chain=input action=log log-prefix=”INPUT-DROP: ” \
src-address-list=ddos-attackers# Log blocked connections
/ip firewall filter add chain=forward action=log log-prefix=”FORWARD-DROP: ” \
src-address-list=ddos-attackers
Performance Monitoring
- CPU Usage: Monitor router CPU load during attacks
- Memory Usage: Track connection table size
- Interface Statistics: Monitor bandwidth utilization
- Connection Counts: Track active connections
Best Practices
Follow these practices to maintain effective DDoS protection.
Configuration Management
- 1Regular Backups: Export configuration after changes
- 2Testing: Test rules in lab environment first
- 3Documentation: Document all protection rules
- 4Version Control: Track configuration changes
Maintenance Tasks
- Weekly: Review blocked IP lists
- Monthly: Update RouterOS firmware
- Quarterly: Review and optimize rules
- Annually: Complete security audit
Performance Optimization
/ip firewall filter add chain=forward connection-state=established,related \
action=fasttrack-connection# Optimize connection tracking
/ip firewall connection tracking set enabled=yes \
tcp-established-timeout=1h tcp-syn-sent-timeout=5s
Troubleshooting Common Issues
Common problems and solutions when implementing DDoS protection.
False Positives
Problem: Legitimate users getting blocked
Solution: Create trusted networks list
/ip firewall address-list add list=trusted-networks address=192.168.1.0/24
/ip firewall address-list add list=trusted-networks address=10.0.0.0/8
High CPU Usage
Problem: Router CPU overloaded during attacks
Solutions:
- Move blocking rules to top of firewall list
- Use FastTrack for legitimate traffic
- Implement rate limiting before connection tracking
Connection Table Overflow
Problem: Too many connections filling table
Solution: Adjust connection limits
/ip firewall connection tracking set tcp-established-timeout=600s# Limit total connections
/ip firewall filter add chain=forward connection-state=new \
limit=1000,50:connection action=accept
Conclusion
DDoS protection requires a layered approach combining multiple techniques. Start with basic firewall rules and gradually add advanced features as needed. Regular network monitoring and maintenance ensure your protection remains effective.
Key Takeaways
- Layer Your Defense: Use multiple protection methods together
- Monitor Continuously: Track attack patterns and adjust rules
- Test Thoroughly: Verify rules work without blocking legitimate traffic
- Keep Updated: Maintain current RouterOS firmware
- Document Everything: Maintain clear configuration documentation
Remember that DDoS protection is an ongoing process. Attackers constantly develop new methods, so your defenses must evolve accordingly. Stay informed about new threats and RouterOS features to maintain strong network security.
