The “raw” firewall option in MikroTik RouterOS is a powerful tool to mitigate attacks, including those based on ICMP (Internet Control Message Protocol).

The raw firewall works at a very early stage of packet processing, allowing it to effectively deal with unwanted packets before they consume system resources beyond basic processing.

To mitigate ICMP attacks, such as ping flood (a type of DDoS attack where the attacker floods the victim with ICMP packets to exhaust its resources), you can use rules in the raw table to discard or limit this traffic.

This is because the rules in this table are processed before those in the filter and nat tables, allowing early intervention and minimizing the impact on router performance.

Configuring Rules in the Raw Firewall to Mitigate ICMP Attacks

Here is an example of how to configure a rule in the raw firewall to limit ICMP packets:

1. Access your MikroTik router via Winbox, WebFig, or SSH.
2. Go to the “raw” Firewall section:
   • In Winbox or WebFig: Go to IP > Firewall and then to the tab Raw.
   • On the command line: Use the command /ip firewall raw.
3. Add a rule to limit ICMP traffic:
   • For Winbox or WebFig: Click + to add a new rule. In the tab General, Select icmp in the field Protocol. On the tab Action, choose drop o limit as an action and configure the parameters according to your needs.
   • On the command line: Use a command similar to /ip firewall raw add action=drop chain=prerouting protocol=icmp icmp-options=8:0 limit=10,20:packet.

This example basically says: “Discard ICMP type 8 (echo request) packets that exceed a limit of 10 packets per second with a burst of 20 packets.” Adjust the limit and burst based on expected normal traffic and your network capacity.

Considerations

• Precision: Make sure you configure the rules precisely to avoid blocking legitimate ICMP traffic, which is useful for network diagnostics and flow control.
• Monitoring: It is advisable to monitor ICMP traffic regularly to adjust rules based on observed behavior and avoid false positives.
• complementarity: Although the raw firewall is effective in mitigating attacks, consider using it in conjunction with other security measures, such as firewall rules in the filter table, for complete protection.

The use of raw firewall can be an effective measure to mitigate ICMP attacks, but it must be part of a broader, strategic approach to network security.