We're having an issue at one of our clients, it seems that they have suffered a DNS amplification attack. There was port 53 udp open to the router (Mikrotik rb4011) from everywhere and the DNS Allow Remote Requests option has been enabled.
I saw immediately that there were thousands of open connections filling the bandwidth.
I have since disabled traffic to router on port 53 udp and tcp and the remote requets. The connections have returned to normal and the new rules are blocking approximately ˘1200 p/s. But the problem is that the internet connection is almost unusable. The ping to 8.8.8.8 takes 800ms+ and the overall network is very slow.
I have tried setting a mikrotik rb4011 with very basic configuration and it's having the same issues, the network is just almost unusable. We have tried setting the ISPs modem to router mode and the internet is working fine over their modem. But as soon as we connect the mikrotik as the router, everything grinds to a hold. Even the providers modem starts working very slowly. I have tried using the hap2 router but same issue.
We have ran out of ideas, is there and issue with the configuration, is the issue with routerOS? I have updated the routerOS to version 7.13 but no change. Bellow is the basic configuration I have tried with no luck, does anyone have any idea what can be done? Would changing the public IPs help in long term?
The router with port 53 specifically disabled

The basic configuration:
/interface bridge
add name=bridge1.test
/interface ethernet
set [ find default-name=ether1 ] name=ether1.dovod
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1.dovod name=pppoe-out1 \
user=user
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=10.0.10.20-10.0.10.150
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1.test name=dhcp1
/interface bridge port
add bridge=bridge1.test interface=ether2
add bridge=bridge1.test interface=ether3
add bridge=bridge1.test interface=ether4
add bridge=bridge1.test interface=ether5
/ip address
add address=10.0.10.1/24 interface=bridge1.test network=10.0.10.0
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
/ip dns
set servers=193.189.160.13
/ip firewall filter
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=8800 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=forward in-interface=pppoe-out1
add action=drop chain=input in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2244
set api disabled=yes
set winbox port=8800
set api-ssl disabled=yes
/system identity
set name=mtTest