MikroTik

Does anyone has tested a firewall rules that can prevent DoS or DDoS attacks?

Nothing you do can prevent them - you can just minimize their effect. We get hit with ddos attacks all the time - the Mikrotik is actually very good at handling the traffic. We've also put in place an iSecure unit from ddos.com because we are getting hit so much.

Here is a synflood chain that helps:

/ ip firewall rule synflood
add in-interface=level3.1 protocol=tcp tcp-options=syn-only limit-count=100 limit-burst=5 limit-time=1s action=return comment="" disabled=no
add in-interface=level3.1 protocol=tcp tcp-options=syn-only action=drop comment="" disabled=no

You can adjust per your requirements. Just make a jump from your forward and input chains to this one.

Also, you may want to do the same with ICMP if you dont block it already.

Thx,
Sam

Thx, but can you help me understand one thing about it... about action=return

My MK is a bridge to client with filtering support.....

Here's my forward chain already looked like:

4 src-address=216.x.x.0/24 action=jump jump-target=admin-out

5 src-address=208.x.x.0/24 action=jump jump-target=tenants-out

6 src-address=208.x.x.0/24 action=jump jump-target=tenants-out

7 src-address=208.x.x.0/24 action=jump jump-target=tenants-out

8 src-address=208.x.x.0/24 action=jump jump-target=tenants-out

9 dst-address=216.x.x.0/24 action=jump jump-target=admin-in

10 dst-address=208.x.x.0/24 action=jump jump-target=tenants-in

11 dst-address=208.x.x.0/24 action=jump jump-target=tenants-in

12 dst-address=208.x.x.0/24 action=jump jump-target=tenants-in

13 dst-address=208.x.x.0/24 action=jump jump-target=tenants-in

Where should I add the synflood chain into this forward chain? And how is the action=return will act to your filtering commands? Please help me understand clearly this. Thanks.