MikroTik

I am using an RB1000 for my network. I have got only about 200 customers but in the IP firewall connections i could see thousands of connections being established which does not seem right. It looks to me like there is an script running on someone's pc which is establishing all the fake connections. Any advise?

When 200 users each have 5 connections (like loading one web page with 4 pictures embedded) that'll be 1,000 connections showing.
You can try lowering the time outs in "/ip firewall connection tracking" but it's still perfectly normal to show more connections that you have user, because each user can have dozens of connections quite legitimately.

yeah you are right, but i think i cannot explain my problem properly. I think my system is under DoS attack. I could see burst of data coming in from the ethernet port of rb1000 which is connected to my backhaul. After around every 30 seconds or so i got a burst of data of around 60-70 Mb coming into rb1000. My system usage also shoots up to 100 %. I have tried adding few firewall rules which has supressed the problem but still i could not find a perfect solution for it.

Try these generic guides to securing your router:

http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router
http://wiki.mikrotik.com/wiki/Securing_your_router

That's odd, 60-70mbps shouldn't even phase the RB1000. Do you have any captures of that traffic? The only way to really see what is happening is to get a good look at that traffic burst and work out why it's maxing the CPU on the routerboard.

What really stresses a router like RB1000 are packets per second and not bandwidth, because every packet has to be analized and checked against firewall, mangle, routing, etc, etc. Having the right order in your firewall rules does help to withstand Dos Attacks/Traffic Peaks.