Informace a skripty nejsou 100% má tvorba, proto níže uvádím zdroje, které jsou lépe okomentované. Já jsem provedl několik úprav, které sedí na širší aplikaci (např. místo namíření pravidla na konkrétní rozhraní, jsou pravidla aplikována na seznam rozhraní (interfeace list) WAN – pro MultiWAN nasazení.
/ip firewall filter
add action=jump chain=forward comment="[DDoS shield]" connection-state=new in-interface-list=WAN jump-target=detect-ddos
add action=return chain=detect-ddos comment="[DDoS shield]" dst-limit=30,10,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-dst address-list-timeout=1w3d chain=detect-ddos comment="[DDoS shield]"
add action=add-src-to-address-list address-list=ddos-src address-list-timeout=1w3d chain=detect-ddos comment="[DDoS shield]"
add action=drop chain=forward comment="[DDoS shield]" connection-state=new dst-address-list=ddos-dst src-address-list=ddos-src
Doporučuji tato pravidla dát na začátek pravidel ve Firewallu a před ně umisťovat maximálně zakazovaní pravidla.
Zdroje:
Oficiální Mikrotik Wiki:
DoS (Denial of Service) attack can cause overloading of a router. Which means that the CPU usage goes to 100% and router can become unreachable with timeouts. All operations on packets which can take significant CPU power like firewalling (filter, NAT, mangle), logging, queues can cause overloading if too many packets per second arrives at the router.
Generally there is no perfect solution to protect against DoS attacks. Every service can become overloaded by too many requests. But there are some methods for minimising the impact of an attack.