Hi

I have a customers who love your products, are subject to DDoS attacks (SYN flood), and it hurts that Mikrotik doesn't have "notrack" target, just SYN flood over his CCR will knock down CPU to 100%.
And if it had -j NOTRACK (or newer kernels: -j CT --notrack), it can be solved, he needed conntrack only for special case, and cannot turn it off completely.
Please consider adding this option, it should be very trivial to do, and will help a lot of people to solve their issues with conntrack overflow.
If possible take this matter seriously, because the only choice i have to show them how perfect are Mikrotik support, or to explain it is not, and to move them to alternative solution.

Thank you.

We can confirm this issue. Impossible to solve issue on any version ov RouterOS. Anybody can cause 100% CPU load on CCR oe any other Mikrotik router. Ih hurts...

u_p

+1, would be a great addition.

But, it is currently possible to solve the problem using two MT devices.

One closest to the connection where the SYN floods are received, with conntrack disabled, and stateless firewall rules to drop the problematic packets.

Then another MT device behind that, with conntrack enabled, performing whatever conntrack-utilizing operations you need.

--Eric

up_

+1.
Easily %100 under dDOS

Is it fixed in ROS 6.9 ?

+1
This addition could save some resources on the routers.

FYI information it is implemented:

cool.but aside raw table that remove most overhead(because skipping before any processing happens)mentioned in changelog would admit that some networkers - didn't implement flood detection(including syn flood) in their interfaces(sometimes its make sense not only on WAN interfaces, btw. espacially in big companies/networks), which is in my opinion A MUST for atleast edge/border gear. same about port scan detection and other usual things. personally i also would love fwsnort-alike features in ROS or something relevant around. and ZORP package(even as paid option)