Protection against DDoS
/ip firewall address-list
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=ddos-attackers
/ip firewall filter add chain=forward connection-state=new action=jump jump-target=detect-ddos
/ip firewall filter add chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s action=return
/ip firewall raw add chain=prerouting action=drop src-address-list=ddos-attackers dst-address-list=dddos-targets
/ip firewall filter
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
TCP SYN flood
/ip firewall filter add chain=forward protocol=tcp connection-limit=100,32 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d
/ip firewall filter add chain=forward protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment="" disabled=no
'네트워크 > Mikrotik' 카테고리의 다른 글
Mikrotik 한국 IP list 자동 다운로드 스크립트 (0) | 2023.02.10 |
---|---|
Mikrotik config Backup 스크립트 (0) | 2023.02.10 |
Mikrotik openvpn 설정 (0) | 2021.04.08 |