MikroTik

I strongly expect that one of my clients was a victim of a DNS Amplification Attack for two days in May 2013.
More on this attack, which made the local news here: http://mybroadband.co.za/news/internet/ ... ttack.html

Symptoms:
* My client reported the internet to be mostly down, with sporadic periods of slow connectivity.
* Pings to the router's WAN IP, resulted on average to about 85% loss.
* I also could not connect to the router remotely or establish a pptp connection.
* The problem went away after the WAN IP was automatically changed by the ISP. (This does not happen often with this ISP, even when rebooting the router)
* When I was able to connect again, I noticed that the PPPoE's traffic for the last 2 days registered 15Gb TX and only about 300Mb RX.

I would like to know:
A. How can I confirm that this attack was the cause of the trouble?
B. How can I prevent this type of attack in the future?

Thank you in advance!

EDIT: The symptoms as described above are once again occurring, as I type this. I can no longer access the router from outside and ping responses report 75%+ loss.

from the post you linked:

attackers find a foothold largely due to open resolvers

disallow requests from the internet to get to your local resolvers. Protect your router.

from the post you linked:

attackers find a foothold largely due to open resolvers

disallow requests from the internet to get to your local resolvers. Protect your router.

Are you referring to the "Allow Remote Requests" tickbox under DNS Settings?

no, i am referring to firewall that can be tailored specifically to disallow requests from outside while internal network still can use it as DNS cache

If the router is configured such that it can be used in this type of attack it probably has some other firewall config issues too. e.g. It would be a good idea to fully check the filters in IP Firewall.

After reading up quite a bit, I decided on the following solution.
I have added two sets of filters:
-> drop all incoming packets (udp & tcp) on port 53 not originating from the local area network. - This prevent outside sources to use your DNS server.
-> drop all forward packets that are outbound on the PPPoE interface and whose src ip is not from the local LAN. - This prevents compromised PC on your LAN from running bots that DDoS other servers with spoofed addresses.

In my case, it turned out that there was a compromised PC on the LAN running a botnet, which was doing a DDoS with spoofed addresses to some IP in Vietnam.

firewall filter rule you added for DNS server can be applied to other services provided by the router to protect it even more (and your customers)

Second part of limiting from what address space can anyone from your network reach out - is also a very good idea effectively preventing DDoS attacks. The Internet says - Thank you.