[Mikrotik] Mikrotik Digest, Vol 60, Issue 3

David Hulsebus contact at portative.net
Tue Dec 4 14:57:50 CST 2012

Yes, efficiency was what I was asking.  I use address lists extensively 
but the lists are small, never more than a few hundred entries. I was 
wondering as the list grew to 150-200K entries if it would still be as 
efficient. We will be extending this drop list to 14 days from 3.

Thanks, Dave

On 12/4/2012 2:59 PM, mikrotik-request at mail.butchevans.com wrote:
> Send Mikrotik mailing list submissions to
> 	mikrotik at mail.butchevans.com
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://www.butchevans.com/mailman/listinfo/mikrotik
> or, via email, send a message with subject or body 'help' to
> 	mikrotik-request at mail.butchevans.com
> You can reach the person managing the list at
> 	mikrotik-owner at mail.butchevans.com
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Mikrotik digest..."
> Today's Topics:
>     1. Re: DOS attack question (Butch Evans)
>     2. Re: DOS attack question (Josh Luthman)
>     3. Managing traffic on management ports (Ty Featherling)
>     4. Re: DOS attack question (Butch Evans)
>     5. Re: DOS attack question (Josh Luthman)
>     6. Re: Managing traffic on management ports (Butch Evans)
>     7. Re: DOS attack question (Butch Evans)
>     8. Re: Managing traffic on management ports (Ty Featherling)
> ----------------------------------------------------------------------
> Message: 1
> Date: Tue, 04 Dec 2012 12:58:27 -0600
> From: Butch Evans <butche at butchevans.com>
> Subject: Re: [Mikrotik] DOS attack question
> To: Mikrotik discussions <mikrotik at mail.butchevans.com>
> Message-ID: <1354647507.2818.143.camel at butchlaptop.butchevans.com>
> Content-Type: text/plain; charset="UTF-8"
> On Tue, 2012-12-04 at 11:35 -0500, David Hulsebus wrote:
>> We've had someone sending network attacks on us over the last few days.
>> We are blocking 15K + IP addresses each 24 hours and and have an address
>> list that has grown to more than 45K since Sunday morning. I do see my
>> CPU usage hasn't really grown beyond 10% - it usually runs 6-8%. Which
>> brings me to the question. At that scale are address list look-ups more
>> efficient than multiple rules? Or is there a difference ? I am looking
>> at increasing the blocked time from 3 days to 14.
> Address lists are much more efficient than multiple rules.  For example:
> /ip firewall filter
> add chain=input protocol=tcp dst-port=22 src-address-list=nossh
> action=drop
> The above is MUCH more efficient with an address list of 100 IPs than it
> would be to have 100 rules of dropping dst-port tcp/22.   I am assuming
> this is the question you are asking.  NOTE that this is just an example
> and NOT the best way to handle input rules to manage traffic on port 22
> or any other management port.

David Hulsebus
Portative Technologies, LLC
1995 Allison Lane, Suite 100
Corydon, IN 47112

More information about the Mikrotik mailing list