Block Ping request

nishadul · Wed Aug 10, 2016 6:33 pm

Hello,

I need any body do not get ping of my router, how to possible it.

Regards,
Nishadul

Wed Aug 10, 2016 6:47 pm

Drop it in firewall.

nishadul · Wed Aug 10, 2016 6:52 pm

Drop it in firewall.

How to write firewall rules, I have write it but not work from outside to my router ip
rule is : add chain=forward, protocol=icmp, action = drop

Wed Aug 10, 2016 8:47 pm

use chain=input, not chain=forward.

forward chain = THROUGH the router
input chain = TO the router

..

And blocking pings does not help security anymore... or at least being "invisible" is no help.

R1CH · Wed Aug 10, 2016 10:37 pm

Drop it in firewall.

How to write firewall rules, I have write it but not work from outside to my router ip
rule is : add chain=forward, protocol=icmp, action = drop

You should never drop all ICMP or you will silently break things like PMTU discovery. Be more specific with which ICMP types you drop.

emikrotik · Fri Aug 19, 2016 10:16 am

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp

cyon · Fri Aug 02, 2019 11:26 am

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp

Doesn't Work!

nostromog · Fri Aug 02, 2019 11:34 am

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp
Doesn't Work!

Of course,

disabled=yes

is a very effective way to make non-working firewall rules

cyon · Fri Aug 02, 2019 11:45 am

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp
Doesn't Work!
Of course,
Code: Select all
disabled=yes
is a very effective way to make non-working firewall rules

I did see that LoL. but still not working!

sindy · Fri Aug 02, 2019 12:05 pm

The order of rules matters, so a perfect rule on a wrong position in the chain cannot work because a matching packet never reaches it as it is always dropped or accepted by one of the earlier rules in that chain. Also a perfect rule in a wrong chain doesn't do what you expect.

pravyroxor · Wed Aug 05, 2020 11:37 am

It works with:
/ip firewall filter add action=drop chain=input icmp-options=8:0-255 in-interface-list=WAN protocol=icmp

Block ICMP packets and allow router to show as a hop on traceroutes;

/ip firewall filter add action=drop chain=forward disabled=yes icmp-options=8:0 protocol=icmp
Doesn't Work!
Of course,
Code: Select all
disabled=yes
is a very effective way to make non-working firewall rules
I did see that LoL. but still not working!

geebee63 · Sun Nov 15, 2020 2:56 pm

Make sure that it is at the top of the list

/ip firewall filter add action=drop chain=input dst-address=x.x.x.x protocol=icmp src-address=x.x.x.x/x

replaces the x with your network ip and range

anav · Sun Nov 15, 2020 5:00 pm

How does that rule block icmp but allow icmp for certain purposes??
A. What ICMP traffic is necessary
B. What ICMP traffic needs to be blocked because presumably its insecure (assumption to be dispelled or supported).

lobo2mil9 · Mon Jul 26, 2021 10:12 pm

I performed it this way. In the example the incoming pings are blocked to the WAN interface of the mikrotik, with the advantage that from the terminal of the mikrotik if pings can be performed outside and inside the network.

/ip firewall filter add chain=input protocol=icmp in-interface=YOUR-INTERFACE icmp-options=8:0-255 action=drop

Jotne · Thu Jul 29, 2021 8:41 am

I do use this, never had any problem with it.

/ip firewall filter add action=drop chain=input comment="Drop ICMP on outside IF" in-interface=ether1 log=yes log-prefix=FI_D_ICMP-outside protocol=icmp

Does not need to be on top of rules as long as its not blocked by any other rule above.

Block rule has to be in input chain, since you like to block ping to the router. But if you have a nat rule that allow ping to an internal host and you would like to block some IP from ping internal host, you need to use forward chain, but I do not see why you should allow ping to an in internal host.

Blocked ping on my router last 12 hour.

_time	type	dir	act	rule	chain	in_if	out_if	src_mac	protocol	src_ip	src_port	dest_ip	dest_port	City	Country
2021-07-29 07:38:30	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	31.192.111.233	na	92.220.x.y	na		Russia
2021-07-29 06:18:27	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	45.131.68.37	na	92.220.x.y	na	St Petersburg	Russia
2021-07-29 06:02:00	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	110.54.236.38	na	92.220.x.y	na	San Fernando	Philippines
2021-07-29 05:46:48	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	185.94.111.1	na	92.220.x.y	na		Russia
2021-07-29 03:37:21	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	218.84.127.47	na	92.220.x.y	na		China
2021-07-29 02:57:15	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	106.76.70.70	na	92.220.x.y	na	Kolhapur	India
2021-07-29 01:53:24	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	110.35.161.178	na	92.220.x.y	na	Seoul	South Korea
2021-07-29 01:34:26	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	140.250.44.225	na	92.220.x.y	na	Zaozhuang	China
2021-07-29 01:16:07	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	155.94.222.154	na	92.220.x.y	na	Miami	United States
2021-07-29 01:11:55	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	154.54.7.158	na	92.220.x.y	na		United States
2021-07-29 01:02:30	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:21	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:17	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:15	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:02:14	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	196.11.176.22	na	92.220.x.y	na	Johannesburg	South Africa
2021-07-29 01:00:44	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	62.115.11.143	na	92.220.x.y	na		Sweden
2021-07-29 00:23:55	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	176.126.83.129	na	92.220.x.y	na	Milan	Italy
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.229	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.228	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.226	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.205	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.203	na	92.220.x.y	na		United States
2021-07-29 00:12:33	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	23.228.199.37	na	92.220.x.y	na		United States
2021-07-28 23:58:49	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	209.209.59.230	na	92.220.x.y	na	Los Angeles	United States
2021-07-28 23:09:08	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	49.144.224.55	na	92.220.x.y	na	Lucena City	Philippines
2021-07-28 23:09:08	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	49.144.224.55	na	92.220.x.y	na	Lucena City	Philippines
2021-07-28 22:46:08	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	18.183.208.71	na	92.220.x.y	na	Tokyo	Japan
2021-07-28 20:35:03	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	101.80.200.157	na	92.220.x.y	na	Xuhui	China
2021-07-28 20:35:03	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	101.231.198.226	na	92.220.x.y	na	Shanghai	China
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.229	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.228	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.159.226	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.205	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	216.99.149.203	na	92.220.x.y	na		United States
2021-07-28 20:02:45	F	I	D	FI_D_ICMP-outside	input	ether1	(unknown 0)	00:05:00:01:00:01	ICMP	23.228.199.37	na	92.220.x.y	na		United States

Top Country pinging me last 7 days

Country	count	percent
United States	319	29.373849
Morocco	210	19.337017
India	74	6.813996
Pakistan	72	6.629834
Philippines	53	4.880295
Australia	53	4.880295
China	46	4.235727
United Kingdom	26	2.394107
Russia	20	1.841621
Belgium	19	1.749540

mkx · Thu Jul 29, 2021 8:55 am

Top Country pinging me last 7 days

Which proves that USA is cyber-crime infested country, possibly many of those criminals are state sponsored or outright state agencies employees.

Ummm ... wait, isn't western world saying that about Russia and China? Now I'm confused.

sindy · Thu Jul 29, 2021 9:12 am

You don't seriously relate the source IP address of an attack with the person behind that attack, do you? I'm afraid that there are simply most public IPv4 addresses per country in the U.S., so if we assume that the share of vulnerable systems is equal everywhere, the most zombies following someone else's command must be in the U.S. as well.

Leaving aside that many ISPs worldwide let you spoof any source IP address you want. Hence wherever the attacker is not interested in the response, or where the response itself is the attack bullet (DNS response DDoS), you cannot base any conclusions on the source address.

And I sincerely hope that the intelligence agencies worldwide know this and use other criteria when identifying the attacks. What politicians make out of their reports is another can of worms of course.

mkx · Thu Jul 29, 2021 11:40 am

@sindy, if your post is reply to mine ... I guess I should have put the whole post inside [sarcasm] [/sarcasm] block. I'm fully aware of the facts you're describing (but your post is till welcome to remind us all of those facts).

Jotne · Thu Jul 29, 2021 2:32 pm

Just for the fun of it. Here are the blocked ping for 1 year!!

Country			count	percent
United States		13456	16.513874
China			8960	10.996159
United Kingdom		8193	10.054858
India			7742	9.501368
Germany			4100	5.031724
Philippines		2754	3.379846
Brazil			2383	2.924536
Russia			2189	2.686450
Norway			2005	2.460636
Pakistan		1905	2.337911
OTHER			27796	34.112637

So I will blame US to be the worst country ;)

If you look at all who has tried any non open port (being blocked by this), US IP stays for nearly 20% of the blocked IP

mkx · Thu Jul 29, 2021 2:38 pm

Actually the worst country is OTHER. Just can't find it on the Globe. ;-)

Oh, I forgot to include the [sarcasm] [/sarcasm] block ... again.

Jotne · Thu Jul 29, 2021 2:40 pm

Haha, very funny :)

Same with this in french, I did not under stand what city this sign will take you to, did not find it on the map.
.

Toutes.jpg

mkx · Thu Jul 29, 2021 2:48 pm

If we started to nitpick over your numbers, it would be interesting to see the malicious_ping-per-capita table/ranking ... I guess that would completely change the ranking. Vatican might end up on top (not sure if there's actually any IP address space allocated to that country?).

Seems like French won another war (just like they did with roundabouts) ... I seem to notice more and more traffic signs around Europe, which read something like "other directions" (but in country's official language which makes it as undecipherable as the sign you posted).

mozerd · Thu Jul 29, 2021 3:10 pm

And I sincerely hope that the intelligence agencies worldwide know this and use other criteria when identifying the attacks. What politicians make out of their reports is another can of worms of course.

The intelligence agencies G7 + rogue know how to pattern match based on AI systems that constantly monitor/scan the terabytes^42 of data they collect on a constant and persistent basis. In the USA/Canada they have 20+ data centers in secret locations where each data center is humongous is size and scope. Once that pattern is identified they follow that stream with unbridled enthusiasm. Believe it or not 😎

anav · Thu Jul 29, 2021 6:18 pm

meanwhile I accept ICMP which allows me to do the troubleshooting I need for such things as wireguard connections and to no detrimental impact on my router performance..........

Jotne · Thu Jul 29, 2021 7:20 pm

Off course all IP I do white-list manually or trough port knock can ping my router. This way I can test stuff from remote location.

rextended · Thu Jul 29, 2021 7:50 pm

Not only on France:

rextended · Thu Jul 29, 2021 7:56 pm

I did not know that in Canada they are so sexist that the woman is pictured with shopping bags !!!!!!!!!

And they put, in order of preference, Women, Wi-Fi, Money and Food...

:)))))))

kiler129 · Thu Jul 29, 2021 8:21 pm

But with all the seriousness... why people block ICMP? It's harmful. Even blocking just ECHO and leaving rest of the ICMP alone is at best annoying. Rate limiting this to a reasonable value - sure, but blocking it flat-out is imho more harmful than helpful.

anav · Thu Jul 29, 2021 9:27 pm

Point taken rextended, but it could be a man wearing a dress.............

THis however is clearly "over the top"

rextended.JPG

rextended · Thu Jul 29, 2021 10:09 pm

It's not a photomanipulation...
Is TRUE....

rextended · Thu Jul 29, 2021 10:14 pm

But with all the seriousness... why people block ICMP?

It is the same person who tries to limit torrents nowadays or insists on restricting sites on the internet with layer7...

With the bandwidth available these days, compared to the past,
only blocking malformed ICMPs makes sense (ehm... read the page linked to my signature...).
The right way is to block the "malformed" and limit the number of pings, in order not to collaborate with the ICMP Storm Attack...
The counterfeit IP comes as a source and the ECHO response goes to join the DDoS attack ....

anav · Thu Jul 29, 2021 10:26 pm

Edit, NM read the whole thread it ended up in the sewer LOL.

Okay, but I am a minimalist.
If my home network should have it then I will add it.
If its strictly hobby fun and not necessary then I dont want to add it.

I did once monkey with ICMP settings and jump rules and it was a disaster.

kevinds · Fri Aug 20, 2021 3:07 am

But with all the seriousness... why people block ICMP? It's harmful. Even blocking just ECHO and leaving rest of the ICMP alone is at best annoying. Rate limiting this to a reasonable value - sure, but blocking it flat-out is imho more harmful than helpful.

Microsoft suggested it years ago as best practice.. I think it is still blocked in the default OS's firewall rules..

For example, none of the M$ servers are pingable, but all of Google's are.

johnson73 · Sat Dec 04, 2021 11:13 pm

Hello,
In order not to create a new topic I want to ask how to properly block ICMP ping? There are many examples that block all icmp. Experts say this is not right. How is it right?

as follows?

/ip firewall filter
add action=accept chain=input comment="Access Normal Ping" in-interface-list=WAN limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" in-interface-list=WAN protocol=icmp

or as follows?

/ip firewall filter
add chain=input protocol=icmp action=jump jump-target=icmp
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="ICMP echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="ICMP net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="ICMP host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="ICMP host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="ICMP allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="ICMP allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="ICMP allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="ICMP allow parameter bad"
add chain=icmp action=drop comment="ICMP deny all other types"

or..

/ip firewall filter 
add action=drop chain=input comment="drop echo request" icmp-options=8:0 \ in-interface-list=WAN protocol=icmp

is there a better method?
Thank you!

sindy · Sat Dec 04, 2021 11:56 pm

is there a better method?

Yes, there is, as suggested above. Allow ICMP to flow freely, except ICMP echo requests if you feel like throttling them to max N per unit of time.

Blocking ICMP completely causes many things to stop working (most notably, path MTU discovery); blocking ping requests completely doesn't prevent other methods of discovery that your device exists, so you may get too little benefit for too much work.

kevinds · Sun Dec 05, 2021 2:00 am

Hello,
In order not to create a new topic I want to ask how to properly block ICMP ping? There are many examples that block all icmp. Experts say this is not right. How is it right?

is there a better method?
Thank you!

Yes there is a better method.. Leave ICMP alone.

Do you have an actual issue you are trying to fix by blocking ICMP?

Jotne · Sun Dec 05, 2021 9:22 am

You can add this to block ping from user who tries more than just ping.

If anyone for some reason try to reach any port on my router(s) that are not open, they are blocked to access any thing on my router (ICMP/web ++) for 24 hours. If they are testing out my router, they have nothing here to do.
More info here: viewtopic.php?f=23&t=178496

johnson73 · Sun Dec 05, 2021 10:16 am

Kevinds,
Yes, there is a ping flood on my device at least twice a week, which puts a lot of strain on the channel. So I wanted to ask which example would be the best.
Is this?

/ip firewall filter
add chain=input protocol=icmp action=jump jump-target=icmp
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="ICMP echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="ICMP net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="ICMP host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="ICMP host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="ICMP allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 [b][u]action=DROP [/u][/b]comment="ICMP allow echo request"  << =====
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="ICMP allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="ICMP allow parameter bad"
add chain=icmp action=drop comment="ICMP deny all other types"

Sindy,
will this option be good?

sindy · Sun Dec 05, 2021 10:29 am

To which channel, the one between the router and the internet or the one between the router and the rest of your own network?

If the one towards internet, blocking the ping requests will only mean you won't respond them, but you cannot prevent them from coming.

So to reduce the load of the router and the upload direction of the uplink channel, the right thing would be to add the ping sources to an address list if they exceed some rate, and to drop anything matching that address list as source in /ip firewall raw, as @Jotne suggests. But this won't lower the load of the channel in download direction. To do that, you'd have to agree with your upstream ISP.

johnson73 · Sun Dec 05, 2021 10:39 am

between the router and the internet.
Flood packets are coming from the Internet (Wan). OK, I'll try the @Jotne version.

/ip firewall raw
add action=drop chain=prerouting comment="Drop user that has tried ports that are not open and has been added to block list" in-interface=ether1  src-address-list=FW_Block_unkown_port

But those icmp rules i showed but needed?

sindy · Sun Dec 05, 2021 10:44 am

This rule is the executive part only, and drops any traffic from the source of the annoying ping, which may or may not be what you actually want.

The rate checking part in /ip firewall filter, adding offenders to the list, is also necessary. And you have to change its matching criteria, @Jotne blocks everyone scanning ports, whereas you plan to block ping sources.

johnson73 · Sun Dec 05, 2021 3:18 pm

Sindy,
Okay, I will apply scan protection. But the question remains what should I do with ICMP rule?? Leave as = accept All? Delete? Block echo request only? What is more correct? Maybe this icmp can block the Raw chain?
I'm sorry I don't understand a bit.

sindy · Sun Dec 05, 2021 4:10 pm

I don't know how to explain better, but I'll try once more.

First step - choose which kind of traffic you want to cause blocklisting of the source address. If it should be only ping requests, the match condition is protocol=icmp icmp-options=8:0.

Second step - choose whether you want to block it completely (not a good idea, won't repeat reasons) or start blocking it as soon as it exceeds some threshold rate. See the description of dst-limit matcher (don't get confused by the name, it can work as src-limit too) in the firewall rule manual. As the dst-limit matches as long as the packet rate is below the limit, you need to use a chain consisting of two rules to add the sources exceeding the limit to the blocklist, so the /ip firewall filter rules would be augmented with the following:

chain=input protocol=icmp icmp-options=8:0 action=jump jump-target=ping-limiter
chain=ping-limiter action=return dat-limit=5/1,1,src-address/600
chain=ping-limiter action=add-src-to-address-list address-list=ping-blocklist address-list-timeout=1w

If your router is a gateway to a network with public IP addresses, you need to do a similar thing in filter chain forward, except that there, the mode in dst-limit has to be src-and-dst-address.

Third step - decide whether you want to drop any traffic from the source that has sent an annoying amount of ping requests, or just the ping requests themselves, and add a corresponding rule to raw/prerouting:

/ip firewall raw
add src-address-list=ping-blocklist protocol=icmp icmp-options=8:0 action=drop

So

all ping requests coming at tolerable rate:
- will not match the drop rule in raw, so they will get to filter
- will match the dst-limit rule in filter, so they won't reach the add-src-to-address-list one
the first ping exceeding the tolerable rate from that source to that destination:
- will not match the drop rule in raw, so it will get to filter
- will not match the dst-limit rule in filter, so it will proceed to the add-src-to-address-list one and match it, so its source address will be added to the blocklist
the subsequent ping requests from that source, no matter what the destination is, or even all traffic from that source, will be dropped already by the drop rule in raw, for a week, until the item on the blocklist expires

johnson73 · Sun Dec 05, 2021 4:50 pm

thank you very much for your reply. Got it!

LostUser · Wed Mar 23, 2022 5:47 pm

Just for the fun of it. Here are the blocked ping for 1 year!!
Code: Select all
Country			count	percent
United States		13456	16.513874
China			8960	10.996159
United Kingdom		8193	10.054858
India			7742	9.501368
Germany			4100	5.031724
Philippines		2754	3.379846
Brazil			2383	2.924536
Russia			2189	2.686450
Norway			2005	2.460636
Pakistan		1905	2.337911
OTHER			27796	34.112637
So I will blame US to be the worst country

If you look at all who has tried any non open port (being blocked by this), US IP stays for nearly 20% of the blocked IP

Regarding this. There are more than just pings going on but that would be an interesting one to track.
I have the Mikrotik admin port blocked and at one time had been logging IP addresses. I don't remember what country stood out as the leader but US was not one of them.
However, I did note that some IP addresses were belonging to security companies. My guess is that security companies do scans as well as bad actors and both are looking for vulnerabilities. One for statistics and the other for bad purposes.

For reference, I am in the US.

I am going to guess, as well, that if you are in China, you are not being scanned by Chinese as much as you are by other countries unless the government is actively involved in controlling internet companies of their own country and forcing certain traffic to be dropped --- which I am sure varies by country and by companies.

https://www.si.umich.edu/about-umsi/new ... ent-access