In this webinar, we were discussing about Distributed Denial Of Service (DDOS) attack, and how to deal with it. we discussed several features on mikrotik RouterOS that can be used as intrusion detection, firewall, and blackhole route. the recording is available on youtube (GLC NETWORKS CHANNEL): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg

1. www.glcnetworks.com
Fighting DDOS attack
with
GLC webinar, 6 april 2017
Achmad Mardiansyah
achmad@glcnetworks.com
GLC Networks, Indonesia
1

2. www.glcnetworks.com
Agenda
● Introduction
● DDOS attack
● Mitigation
● Demo
● Q & A
2

3. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● An Indonesian company
● Located in Bandung
● Areas: Training, IT Consulting
● Mikrotik Certified Training Partner
● Mikrotik Certified Consultant
● Mikrotik distributor
3

4. www.glcnetworks.com
About GLC webinar?
● First webinar: january 1, 2010 (title:
tahun baru bersama solaris - new
year with solaris OS)
● As a sharing event with various
topics: linux, networking, wireless,
database, programming, etc
● Regular schedule: every 2 weeks
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/main/sc
hedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge,
experiences, information
4

5. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since 1999
● Mikrotik user since 2007
● Certified Trainer (MTCNA/RE/WE/UME/INE/TCE)
● Mikrotik Certified Consultant
● Work: Telco engineer, Sysadmin, PHP programmer,
and Lecturer
● Personal website: http://achmadjournal.com
● More info:
http://au.linkedin.com/in/achmadmardiansyah
5

6. www.glcnetworks.com
Please introduce yourself
● Your name
● Your company/university?
● Your networking experience?
● Your mikrotik experience?
● Your expectation from this course?
6

7. www.glcnetworks.com
What is Mikrotik?
● Name of a company
● A brand
● A program (e.g. mikrotik academy)
● Headquarter: Riga, Latvia
7

8. www.glcnetworks.com
What are mikrotik products?
● Router OS
○ The OS. Specialized for networking
○ Website: www.mikrotik.com/download
● RouterBoard
○ The hardware
○ RouterOS installed
○ Website: www.routerboard.com
8

9. www.glcnetworks.com
What Router OS can do?
● Go to www.mikrotik.com
○ Download: what_is_routeros.pdf
○ Download: product catalog
○ Download: newsletter
9

10. www.glcnetworks.com
What are Mikrotik training & certifications?
10
Certificate validity is 3 years

11. www.glcnetworks.com
DOS (Denial Of Service)
11

12. www.glcnetworks.com
What is DOS (Denial Of Service)?
● DOS is a condition where a server cannot provide its service
● Some reasons:
○ Too many incoming request (very common reason) -> server busy -> server reject incoming
request (denial)
○ Wrong configuration on server
● Common target server
○ Web server
○ FTP server
○ DNS server
○ Remote access (telnet, ssh)
● What if the request is real?
○ Popular website vs DOS?
12

13. www.glcnetworks.com
How do a DOS happen?
● An update is relased -> normal
● Sudden event (news site effect) -> normal
● Rush hour -> normal
● When its close to a deadline -> normal
● Attacker setup a computer that generates lots of request to a target and keep
doing it until server is very busy -> this is not normal
13

14. www.glcnetworks.com
Why do people do DOS?
● Business competition
● Show off
● For fun
● Attract attention
● Hiding other facts
● Diversion of public attention
● Etc… you name it
14

15. www.glcnetworks.com
What is DDOS (Distributed DOS)?
● DDOS means the DOS attack that is
distributed to many computers
● Many (compromised) computers doing
DOS, attacking same target
● The DDOS traffic can go more than
hundreds mbps
15

16. www.glcnetworks.com
How do i know its a DDOS?
● From your monitoring system (very
common)
● Server log
● Report from users
● etc..
16

17. www.glcnetworks.com
Mitigation
17

18. www.glcnetworks.com
DDOS mitigation
18
● Passive
○ Setup intrusion detection in front of servers to detect an attack
○ Setup firewall in front of the servers which can suppress incoming traffic
○ Applying blackhole on router
● Active
○ Do coordination with CERT (Cyber Emergency Response Team)
○ Inform the origin ISP that one of its IP address is doing attack

19. www.glcnetworks.com
What mikrotik can do?
Mikrotik can be used for:
● Intrusion detection. Using firewall features: connection limit
● Firewall: recommended to use RAW table. See Firewall RAW presentation on
MUM London 2016
● Blackhole: using blackhole feature on router
19

20. www.glcnetworks.com
Mikrotik for Intrusion
detection (mangle)
● Connection limit
● Limit (match when limit is not exceeded)
● Destination limit ( match when given rate
is exceeded)
● PSD (port scan detection)
● Use address list feature to list the IP
address of attacker
20

21. www.glcnetworks.com
Mikrotik for firewall
● Use RAW table with prerouting chain
● RAW table can save your CPU
●
21

22. www.glcnetworks.com
Mikrotik for blackhole
● Using blackhole feature in routing
table
22

23. www.glcnetworks.com
QA
23

24. www.glcnetworks.com
Interested?
Just come to our
training...
Special price for webinar
attendees…
http://www.glcnetworks.c
om/main/schedule
24

25. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Like our facebook page: “GLC networks”
● Slide: http://www.slideshare.net/r41nbuw
● Recording: https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
● Stay tune with our schedule
25