Skip to content
MikroTik RouterOS Docs

DDoS Protection

DDoS Protection

Section titled “DDoS Protection”

Distributed Denial of Service (DDoS) attacks represent one of the most significant threats to network availability. These malicious attempts to disrupt normal traffic overwhelm target systems with excessive requests, rendering services inaccessible to legitimate users. MikroTik RouterOS provides robust firewall capabilities to detect, mitigate, and block various types of DDoS attacks, ensuring network resilience and continued service availability.

Overview

Section titled “Overview”

A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by using multiple compromised computer systems as sources of attack traffic, making mitigation more challenging than simple DoS attacks.

Common DDoS Attack Types

Section titled “Common DDoS Attack Types”

Understanding the various attack vectors is essential for implementing appropriate protections:

Attack TypeDescriptionTarget Layer
SYN FloodExploits TCP handshake by sending SYN packets without completing connectionTransport (Layer 4)
SYN-ACK FloodSends spoofed SYN-ACK packets at high rate, overwhelming target resourcesTransport (Layer 4)
HTTP FloodOverwhelms web servers with seemingly legitimate HTTP requestsApplication (Layer 7)
DNS AmplificationExploits DNS servers to amplify attack traffic toward victimApplication (Layer 7)
UDP FloodSends UDP packets to random ports, consuming bandwidth and resourcesTransport (Layer 4)
ICMP FloodOverwhelms target with ICMP Echo Request packetsNetwork (Layer 3)

Protection Strategy

Section titled “Protection Strategy”

Effective DDoS protection in RouterOS employs multiple complementary techniques:

  • Traffic Rate Limiting: Using dst-limit to restrict connection rates per source-destination pair
  • Address List Management: Automatically tracking and blocking identified attackers
  • Connection Tracking Integration: Leveraging connection state for intelligent filtering
  • RAW Prerouting: Dropping malicious traffic before it consumes connection tracking resources

DDoS Detection and Mitigation

Section titled “DDoS Detection and Mitigation”

The primary DDoS protection strategy in RouterOS involves detecting anomalous traffic patterns and automatically blocking the sources. This approach uses a dedicated firewall chain with rate limiting to identify attackers, then creates address lists for automatic blocking.

Address List Configuration

Section titled “Address List Configuration”

Before implementing detection rules, define address list names to track attackers and targets. The lists are created automatically when the first entry is added (by add-src-to-address-list and add-dst-to-address-list actions in the detection rules below):

  • DDoS-attackers — identified attack sources
  • DDoS-targets — servers being targeted

These address lists serve as dynamic databases of identified malicious sources and their targets, enabling targeted traffic dropping at the RAW prerouting chain.

Detection Chain Setup

Section titled “Detection Chain Setup”

Create a dedicated firewall chain to detect and handle DDoS traffic:

/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=detect-DDoS

This rule redirects all new forward connections to the detection chain for analysis.

Rate Limiting Detection Rule

Section titled “Rate Limiting Detection Rule”

The dst-limit parameter is the cornerstone of DDoS detection. It matches packets based on rate thresholds:

/ip firewall filter
add chain=detect-DDoS action=return dst-limit=32,32,src-and-dst-addresses/10s

Understanding dst-limit Syntax

Section titled “Understanding dst-limit Syntax”

The dst-limit parameter follows this format: count/time,burst,mode[/expire]

ParameterDescriptionExample Value
countMaximum packets to allow per time window32
timeTime window duration10s
burstAllowable burst beyond rate limit32
modeMatching mode: src-address, dst-address, src-and-dst-addresses, etc.src-and-dst-addresses
expireTime to track rate per flow(optional)

The example rule matches 32 packets with 32 packet burst based on source and destination address flow, renewing every 10 seconds. When legitimate traffic stays within these limits, the action=return allows it to proceed normally.

Attacker and Target Tracking

Section titled “Attacker and Target Tracking”

When the dst-limit buffer fills during an attack, subsequent rules identify and track attackers:

/ip firewall filter
add chain=detect-DDoS action=add-dst-to-address-list address-list=DDoS-targets address-list-timeout=10m
add chain=detect-DDoS action=add-src-to-address-list address-list=DDoS-attackers address-list-timeout=10m

These rules add detected attack targets and sources to their respective address lists with a 10-minute timeout, enabling automatic cleanup of entries after the attack subsides.

Blocking Malicious Traffic

Section titled “Blocking Malicious Traffic”

Drop traffic between identified attackers and targets at the RAW prerouting chain:

/ip firewall raw
add chain=prerouting action=drop dst-address-list=DDoS-targets src-address-list=DDoS-attackers

Using RAW prerouting for dropping provides optimal performance since these connections bypass connection tracking, reducing router CPU load during active attacks.

Complete DDoS Protection Configuration

Section titled “Complete DDoS Protection Configuration”
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=detect-DDoS
add chain=detect-DDoS action=return dst-limit=32,32,src-and-dst-addresses/10s
add chain=detect-DDoS action=add-dst-to-address-list address-list=DDoS-targets address-list-timeout=10m
add chain=detect-DDoS action=add-src-to-address-list address-list=DDoS-attackers address-list-timeout=10m


/ip firewall raw
add chain=prerouting action=drop dst-address-list=DDoS-targets src-address-list=DDoS-attackers

SYN Flood Protection

Section titled “SYN Flood Protection”

SYN floods exploit the TCP three-way handshake mechanism by sending SYN packets without completing the connection request. This consumes server resources as half-open connections accumulate, eventually preventing legitimate connections.

TCP SYN Cookies

Section titled “TCP SYN Cookies”

RouterOS includes a built-in mechanism to mitigate SYN floods at the TCP level:

/ip settings set tcp-syncookies=yes

How SYN Cookies Work

Section titled “How SYN Cookies Work”

When SYN cookies are enabled, the router responds to SYN requests with a special ACK packet containing a cryptographic hash. Legitimate clients echo this hash back in their subsequent response, proving the connection was originally initiated correctly. Invalid or spoofed responses are discarded without creating half-open connections.

Section titled “SYN Cookie Benefits”
BenefitDescription
Resource ConservationPrevents creation of half-open connections during SYN flood
Transparent OperationClients require no special configuration
Cryptographic ValidationEnsures responses correspond to actual connection requests
Section titled “SYN Cookie Considerations”
/ip settings print

Verify SYN cookie status after enabling. The feature works at the IP settings level and affects all TCP connections passing through the router.

Advanced SYN Flood Detection

Section titled “Advanced SYN Flood Detection”

For SYN-specific attacks that bypass SYN cookies, combine with the general DDoS detection rules:

/ip firewall filter
add chain=detect-DDoS action=return dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn

This rule specifically rate-limits SYN packets within the detection chain, providing an additional layer of protection against high-volume SYN floods.

SYN-ACK Flood Protection

Section titled “SYN-ACK Flood Protection”

SYN-ACK floods exploit the TCP handshake in reverse by sending spoofed SYN-ACK packets. The target must process these out-of-order packets, consuming CPU resources as it attempts to match them to non-existent connection requests.

SYN-ACK Detection Configuration

Section titled “SYN-ACK Detection Configuration”

Add SYN-ACK specific rate limiting to your detection chain:

/ip firewall filter
add chain=detect-DDoS action=return dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack

This rule specifically targets SYN-ACK packets, rate limiting them independently from other traffic types.

Combined Attack Protection

Section titled “Combined Attack Protection”

For comprehensive protection against multiple attack vectors:

/ip firewall filter
add chain=detect-DDoS action=return dst-limit=32,32,src-and-dst-addresses/10s
add chain=detect-DDoS action=return dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn
add chain=detect-DDoS action=return dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack

Tuning DDoS Protection

Section titled “Tuning DDoS Protection”

Adjusting Detection Thresholds

Section titled “Adjusting Detection Thresholds”

Default thresholds may require adjustment based on your network characteristics:

/ip firewall filter
add chain=detect-DDoS action=return dst-limit=64,64,src-and-dst-addresses/10s

Threshold Guidelines

Section titled “Threshold Guidelines”
Network TypeRecommended CountRecommended Burst
Small Office ( < 50 users)16-3216-32
Medium Business (50-200 users)32-6432-64
Large Enterprise (200+ users)64-12864-128
Public Services (web, DNS)128-256128-256

Higher thresholds reduce false positives during legitimate traffic spikes but may allow more attack traffic through before triggering protection.

Address List Timeout Adjustment

Section titled “Address List Timeout Adjustment”

Adjust timeout values based on attack patterns:

/ip firewall filter
add chain=detect-DDoS action=add-src-to-address-list address-list=DDoS-attackers address-list-timeout=30m

Longer timeouts prevent quick re-entry by attackers but may block legitimate users whose IP addresses were dynamically reassigned to new users.

Multiple Detection Chains

Section titled “Multiple Detection Chains”

For complex networks, consider segmenting detection:

/ip firewall filter
add chain=forward connection-state=new src-address=192.168.0.0/16 action=jump jump-target=detect-DDoS-internal
add chain=forward connection-state=new action=jump jump-target=detect-DDoS-external

Apply different thresholds and actions based on traffic source.

Monitoring and Alerting

Section titled “Monitoring and Alerting”

Viewing Address Lists

Section titled “Viewing Address Lists”

Monitor identified attackers and targets:

/ip firewall address-list print where list=DDoS-attackers
/ip firewall address-list print where list=DDoS-targets

Logging Detection Events

Section titled “Logging Detection Events”

Enable logging for attack detection:

/ip firewall filter
add chain=detect-DDoS action=log log-prefix="DDoS-detected"

Script Integration

Section titled “Script Integration”

Execute scripts when attacks are detected:

/system script add name=block-ddos source={
    :log info "DDoS attack detected - checking attack intensity"
}
/ip firewall filter
add chain=detect-DDoS action=run-script script-name=block-ddos

Netwatch Integration

Section titled “Netwatch Integration”

Monitor router resource usage during potential attacks:

/tool/netwatch add host=127.0.0.1 type=icmp interval=30s down-script=alert-high-cpu

Troubleshooting DDoS Protection

Section titled “Troubleshooting DDoS Protection”

Legitimate Traffic Being Blocked

Section titled “Legitimate Traffic Being Blocked”
  1. Increase dst-limit thresholds for peak traffic periods
  2. Add whitelist address lists for known good sources
  3. Reduce address list timeout values
  4. Review attack detection timing and patterns
/ip firewall raw
add chain=prerouting action=accept src-address-list=trusted dst-address-list=DDoS-targets

No Attack Detection

Section titled “No Attack Detection”
  1. Verify jump rule redirects traffic to detect-DDoS chain
  2. Check dst-limit syntax for correct formatting
  3. Confirm address lists exist and are properly named
  4. Review RAW prerouting rule for correct address list references
/ip firewall filter print chain=detect-DDoS
/ip firewall address-list print
/ip firewall raw print

High CPU During Attack

Section titled “High CPU During Attack”
  1. Ensure RAW prerouting drop rules are in place before connection tracking
  2. Increase dst-limit thresholds to trigger blocking sooner
  3. Consider hardware-level filtering for sustained attacks
  4. Implement upstream null routing as last resort
/ip firewall raw print

Attack Continues After Detection

Section titled “Attack Continues After Detection”
  1. Verify address list entries are being created
  2. Check RAW rules are processing before filter rules
  3. Confirm attacker IP ranges aren’t being NAT’d
  4. Consider external mitigation services for volumetric attacks

Best Practices

Section titled “Best Practices”

Defense in Depth

Section titled “Defense in Depth”

Implement multiple protection layers:

  1. Network Perimeter: ISP-level filtering and null routes
  2. Router Firewall: RouterOS RAW and filter rules
  3. Connection Tracking: SYN cookies and connection limits
  4. Application Layer: Web application firewalls for HTTP attacks

Regular Review

Section titled “Regular Review”
  • Audit address lists daily during attack-prone periods
  • Analyze blocked traffic patterns weekly
  • Adjust thresholds based on traffic baselines
  • Test configurations in lab environment first

Documentation

Section titled “Documentation”
  • Document normal traffic patterns and baselines
  • Record threshold values and rationale
  • Maintain runbooks for attack response
  • Track attack trends over time
Section titled “Related Commands”
  • /ip firewall address-list - Manage address lists
  • /ip firewall filter - Configure firewall filter rules
  • /ip firewall raw - Configure RAW prerouting rules
  • /ip settings - Configure TCP/IP settings including SYN cookies
  • /tool/netwatch - Monitor router resources
  • /system/logging - Configure logging for attack detection
Section titled “Related Resources”