Contents
1 In general
2 Types
2.1 TCP SYN flood
2.1.1 Diagnose
2.1.2 Protection
3 External links
In general
DoS (Denial of Service) attack can cause overloading of a router. Which means that the CPU usage goes to 100% and
router can become unreachable with timeouts. All operations on packets which can take significant CPU power like
firewalling (filter, NAT, mangle), logging, queues can cause overloading if too many packets per second arrives at the
router.
Generally there is no perfect solution to protect against DoS attacks. Every service can become overloaded by too many
requests. But there are some methods for minimising the impact of an attack.
Types
TCP SYN flood
Diagnose
Are there too many packets per second going through any interface?
https://wiki.mikrotik.com/wiki/DoS_attack_protection 1/3
8/23/2017 DoS attack protection - MikroTik Wiki
/tool torch
Protection
An IP address with too many connections can be added to a 'black-list' type address list for further blocking.
where LIMIT is the max. number of connection per IP. LIMIT should be a value of 100 or even higher as many services
use multiple connection (HTTP, Torrent, other P2P programs).
Action tarpit
Instead of simply dropping attacker's packets (with 'action=drop') router can capture and hold connections and with a
powerful enough router it can slow the attacker down.
SYN filtering
'syn limit=400' is a threshold, just enable rule in forward chain for syn packets to get dropped (for excessive amount of new
connections)
SYN cookies
For v6.x:
https://wiki.mikrotik.com/wiki/DoS_attack_protection 2/3
8/23/2017 DoS attack protection - MikroTik Wiki
External links
Denial-of-service attack (http://en.wikipedia.org/wiki/DoS)
Category: Firewall
https://wiki.mikrotik.com/wiki/DoS_attack_protection 3/3