...

/ip firewall address-list
add list=ddos-attackers
add list=ddos-targettargets
/ip firewall filter
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targettargets address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targettargets src-address-list=ddos-attackers

Configuration

...

Explained

First, we will send every new connection to the specific firewall chain where we will detect DDoS:

...

ip/firewall/address-list/add list=ddos-attackers
ip/firewall/address-list/add list=ddos-targets
ip/firewall/raw/add chain=prerouting action=drop src-address-list=ddos-attackers dst-address-list=dddosddos-targets

With the firewall filter section, we will add attackers in the "DDoS-attackers" and victims in list "ddos-targets" list:

/ip/firewall/filter/
add action=add-dst-to-address-list address-list=ddos-targettargets address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos

SYN Attack

SYN Flood

An SYN flood is An SYN flood is a form of DoS attack in of DoS attack in which an attacker sends a succession of SYN requests of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. Fortunately, in RouterOS we have a specific feature for such an attack:

/ip/settings/set tcp-syncookies=yes

The feature works with by sending back ACK back ACK packets that contain a little cryptographic hash, which the responding client will echo back with as part of its SYN-ACK packet. If the kernel doesn't see this "cookie" in the reply packet, it will assume the connection is bogus and drop it. 

...