The document details a webinar on detecting network viruses using MikroTik, presented by Achmad Mardiansyah from GLC Networks in Indonesia. It covers various topics including definitions and characteristics of computer viruses, methods for monitoring networks with MikroTik, and countermeasures against viruses. Additional resources and a Q&A session are also included, along with a request for participant feedback.

1. www.glcnetworks.com
Detecting network viruses
using mikrotik
GLC webinar, 25 august 2016
Achmad Mardiansyah
achmad@glcnetworks.com
GLC Networks, Indonesia

2. www.glcnetworks.com
Agenda
● Introduction
● Computer Virus
● Monitoring network with mikrotik
● Demo
● Q & A

3. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● An Indonesian company
● Located in Bandung
● Areas: Training, IT Consulting
● Mikrotik Certified Training Partner
● Mikrotik Certified Consultant
● Mikrotik distributor
3

4. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since ’99
● Certified Trainer (MTCNA/RE/WE/UME/INE/TCE)
● Mikrotik Certified Consultant
● Work: Telco engineer, Sysadmin, PHP programmer,
and Lecturer
● Personal website: http://achmad.glcnetworks.com
● More info:
http://au.linkedin.com/in/achmadmardiansyah
4

5. www.glcnetworks.com
Please introduce yourself
● Your name
● Your company/university?
● Your networking experience?
● Your mikrotik experience?
● Your expectation from this course?
5

6. www.glcnetworks.com
What is Mikrotik?
● Name of a company
● A brand
● A program (e.g. mikrotik academy)
● Headquarter: Riga, Latvia
6

7. www.glcnetworks.com
What are mikrotik products?
● Router OS
○ The OS. Specialized for networking
○ Website: www.mikrotik.com/download
● RouterBoard
○ The hardware
○ RouterOS installed
○ Website: www.routerboard.com
7

8. www.glcnetworks.com
What Router OS can do?
● Go to www.mikrotik.com
○ Download: what_is_routeros.pdf
○ Download: product catalog
○ Download: newsletter
8

9. www.glcnetworks.com
What are Mikrotik training & certifications?
9
Certificate validity is 3 years

10. www.glcnetworks.com
Computer virus

11. www.glcnetworks.com
What is virus, worms, trojan horse?
Virus
● A self-replicating program. Often Viruses require a host, and their goal is to
infect other files so that the virus can live longer.
● Nothing to do with biological virus!!
Worms
● Worms are insidious because they rely less (or not at all) upon human
behavior in order to spread themselves from one computer to others.
Trojan Horses
● A Trojan Horse is a one which pretend to be useful programs but do some
unwanted action.

12. www.glcnetworks.com
Virus characteristic
● Very small size
● Versatile: available for many application
● Propagation: able to infect to other software, to other computer
● Can cause catastrophic effects: data loss, slow processing, botnet
● Persistence: able to reoccur through replication

13. www.glcnetworks.com
How computer virus infects other software

14. www.glcnetworks.com
Virus propagation
● Boot sector
● Non resident
● Macro virus
● Via hacked website (XSS - cross side scripting)

15. www.glcnetworks.com
Virus countermeasures on
network

16. www.glcnetworks.com
Virus identification
● Host based (need to install antivirus software on host)
○ Signature based
○ heuristic
● Network based (analysing traffic that flows through devices)
○ Using protocol analyser
○ IDS (intrusion detection system)
■ Use signature based
■ Use heuristics
■ Using anomaly analytics
○ Devices:
■ Hub
■ Switch -> port mirrorring
■ Router -> activate sniff feature

17. www.glcnetworks.com
Virus countermeasures
Local host
● Install antivirus
● Use checksum software
Network devices
● Apply IDS
● Setup firewall rules

18. www.glcnetworks.com
On routeros...
● limit outgoing sync rate for SMTP
● drop/limit outgoing SMB/CIFS port: 135-139, 445
● Identify src-ip-addr that send high number of connection -> use src-addr-list
● Apply limit / conn-limit
● use tarpit / drop / reject
● redirect customer to a webpage
● setup whitelist
● run torch
● Run sniffer and send the traffic to protocol analyser software
○ Snort
○ Sourcefire
○ Wireshark
○ etc

19. www.glcnetworks.com
Demo

20. www.glcnetworks.com
Firewall limit, conn-limit, address-list, tarpit

21. www.glcnetworks.com
Sniffing on RouterOS

22. www.glcnetworks.com
torch

23. www.glcnetworks.com
QA

24. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Like our facebook page: “GLC networks”
● Stay tune with our schedule