Hello Mikrotikians! Just wondering what ideas and implementations people have tried to detect and block packet floods and other DOS attacks? I'm currently running 6.33 on X86 hardware and have a non-production box trying a simple PPS rate firewall filter to auto-build a list of target addresses and drop inbound traffic to the list (with a 2h expire time.) I want to go further and push the list to BGP as /32 blackhole routes to my iBGP and also upstream to the likes of VOCUS who support /32 black holing. This is also on top of a general purpose filter which is looking for invalid TCP flag combinations to just drop outright. Frustratingly, the last few DDOS attacks inbound to AS7477 have been TCP SYN/RST at high packet rates, but barely past 25Mbps of payload -- router/os has proven very susceptible to high PPS hitting a single queue (HTB and simple for 1 ip address and/or sub-interface) and turning into a turtle. -- http://about.me/terry.sweetser