ISP Network Security: DDoS Protection, Firewall Rules & Best Practices
ISP networks are prime targets for DDoS attacks, port scanning, and brute force attempts. This guide covers layered security — from MikroTik firewall hardening and connection rate limiting to CGNAT security and proactive threat monitoring.
The ISP Threat Landscape
ISPs face a unique set of security challenges. You are not just protecting one network — you are responsible for thousands of subscribers, their traffic, and the infrastructure connecting them. A successful attack can take down service for your entire customer base.
The most common threats ISPs face include volumetric DDoS attacks, SSH/Winbox brute force attempts, DNS amplification abuse, and subscribers running compromised devices that become botnet nodes.
Layer 1: Edge Firewall Rules
Your edge router is the first line of defence. These MikroTik firewall rules should be on every ISP router:
# Drop invalid connections /ip firewall filter add chain=input action=accept connection-state=established,related comment="Accept established" add chain=input action=drop connection-state=invalid comment="Drop invalid" # Protect management services add chain=input action=accept protocol=tcp dst-port=8291 src-address-list=management comment="Winbox from management IPs only" add chain=input action=accept protocol=tcp dst-port=22 src-address-list=management comment="SSH from management IPs only" add chain=input action=drop protocol=tcp dst-port=8291,22,23,80,443 comment="Drop all other management access" # Rate-limit ICMP to prevent ping flood add chain=input action=accept protocol=icmp limit=50,5:packet comment="Rate-limit ICMP" add chain=input action=drop protocol=icmp comment="Drop excess ICMP" # Drop port scanners add chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port-scanners address-list-timeout=2w add chain=input action=drop src-address-list=port-scanners comment="Drop port scanners"
Layer 2: Brute Force Protection
Automated bots constantly probe for SSH, Winbox, and API access. Rate-limit connection attempts to block brute force attacks:
# SSH brute force protection /ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh-blacklist action=drop comment="Drop SSH blacklisted" add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh-stage3 action=add-src-to-address-list address-list=ssh-blacklist address-list-timeout=10d add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh-stage2 action=add-src-to-address-list address-list=ssh-stage3 address-list-timeout=1m add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh-stage1 action=add-src-to-address-list address-list=ssh-stage2 address-list-timeout=1m add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh-stage1 address-list-timeout=1m
Layer 3: DDoS Mitigation
DDoS attacks are the biggest threat to ISP uptime. While large volumetric attacks require upstream filtering, you can handle many attacks at the edge:
# SYN flood protection /ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment="SYN flood protection" add chain=SYN-Protect action=accept limit=200,5:packet add chain=SYN-Protect action=drop # Connection rate limiting per source IP /ip firewall filter add chain=forward action=drop connection-limit=200,32 protocol=tcp comment="Limit TCP connections per /32" # DNS amplification protection (if running DNS) /ip firewall filter add chain=input action=drop protocol=udp dst-port=53 src-address-list=!trusted-dns-clients comment="Block external DNS queries"
Layer 4: CGNAT Security Considerations
If you run CGNAT (Carrier-Grade NAT) due to IPv4 exhaustion, additional security measures are needed:
- Connection tracking limits — set max connections per subscriber to prevent a single user exhausting the NAT table
- Port allocation — allocate fixed port ranges per subscriber for logging compliance
- Logging — log NAT translations for law enforcement compliance (store IP + port + timestamp + subscriber)
- ALG handling — disable unnecessary ALGs (SIP, FTP) to reduce attack surface
# CGNAT with per-subscriber port limits /ip firewall nat add chain=srcnat action=src-nat to-addresses=203.0.113.0/28 src-address=100.64.0.0/10 out-interface=ether1-wan # Limit connections per subscriber behind CGNAT /ip firewall filter add chain=forward action=drop connection-limit=500,32 src-address=100.64.0.0/10 protocol=tcp comment="CGNAT: max 500 TCP connections per subscriber"
Subscriber Network Hygiene
Your subscribers can be both victims and sources of attacks. Implement these measures to keep your network clean:
- BCP38 / uRPF — enable reverse path filtering to prevent IP spoofing from subscriber networks
- Bogon filtering — drop traffic from/to bogon and RFC1918 addresses on your WAN interface
- Bandwidth abuse detection — monitor for subscribers generating unusual traffic patterns (possible botnet)
- Automatic isolation — quarantine subscribers exhibiting malicious behaviour until their device is cleaned
How ISPbills Enhances Network Security
ISPbills integrates security-aware features into your ISP operations:
- RADIUS-based access control — only authenticated subscribers can access the network
- Automatic suspension — overdue accounts are disabled at the RADIUS level, preventing unauthorised access
- Session logging — complete PPPoE/Hotspot session history with IP assignments for compliance
- Real-time monitoring — detect bandwidth anomalies that may indicate DDoS or compromised devices
- Role-based access — 17 granular permissions prevent staff from accessing sensitive network configurations
Ready to Automate Your ISP?
ISPbills handles billing, network provisioning, and customer management — free for up to 99 subscribers.
Start Free Trial →Tags
Ready to Transform Your ISP Business?
Join hundreds of ISPs worldwide who trust ISPbills to manage their operations. Start your free trial today — no credit card required.