為啥會一直被擋?要問中華DNS.誰叫它老是被仿冒.這個規則會讓我知道採用自行定義DHCP的DNS設定會容易有這現象產生.習慣就好.
/ip settings
set tcp-syncookies=yes
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
/ip firewall filter
add action=jump chain=forward comment="DDoS Detection and Blocking" \
connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos comment="SYN Flood protect" dst-limit=\
32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
/ip firewall raw
add action=drop chain=prerouting comment="Drop DDoS-attackers" \
dst-address-list=ddos-targets src-address-list=ddos-attackers
--
你若是堅持用自行定義在DHCP設DNS.我建議你把它改成谷歌或CF的DNS即可.
然後DNS設定就不用改.那是留給MikroTik聯網更新用的.中繼集線器不理會.
同理可推論說若你是中華300M用戶.那建議你開啟上網守衛.然後把守衛DNS設進.
由此可證.自行定義的話.DDoS規則不會牴觸.還能正常使用.是因為DNS藏眉角.
設定一定是這樣子.這樣子的話駭客要劫持很難啦!若有開通上網守衛就能達到自設防衛.
總結是.建議用官方定義的DNS設定就好.雖易造成DNS遞查攻擊.理應能避開才是.
--
給1450完結大禮.
ABCDEF六版在某篇已修改至今年817後才算正式完結.--
Sia freeze You Out Music /official video/
至於擋icmp洪水就免治馬桶了.雖有成公廁出來.但沒必要用.
