MikroTik DDoS Attack Mitigation
The MikroTik Security Guide by Tyler Hart is now available in paperback and on Kindle! Click here to check it out on Amazon.
Being attacked sucks and we hate it. Done. Here's a solution for mitigating an attack. This will not block large-scale DDoS attacks which requires coordination with upstream providers and possibly additional hardware capabilities.
Threat Address List
A DDoS attack comes from many sources and it's a heck of a lot easier to block connections using an Address List. The alternative is making a ton of standalone rules and we hate that too. Identify the malicious traffic sources (e.g. 220.127.116.11 and 18.104.22.168) and create an Address list:
/ip firewall address-list add address=22.214.171.124 list=Blackhole add address=126.96.36.199 list=Blackhole
Prerouting Filter Rule
Check out the MikroTik RouterOS packet flow diagram first before going any further if you aren't familiar with the packet flow. To endure an attack we want to filter / drop traffic as close to the source as possible. The further a router has to process bad traffic the more strain it puts on the device. The Prerouting process is a great place to block traffic on the device itself if you don't have blackholing configured with your upstream providers.
Create a Prerouting filter rule using the Blackhole address list we just created and the Drop action:
/ip firewall raw add chain=prerouting src-address-list=Blackhole action=drop place-before=0
As new malicious IP addresses are detected just add them to the Address List.