Awal Haolader, Network Analyst / Technical Trainer at APNIC, presented on 'DDoS Mitigation Strategies' at bdNOG 19 held in Dhaka, Bangladesh from 21 to 24 May 2025.

1. DDoS Mitigation Strategies
Abdul Awal
APNIC
#bdNOG19

2. 2
Are you the Victim (or the Attacker)?

3. 3
DoS by Layers
Network
Access
Application
Transport
Internet
WiFi, Ethernet,
Fiber, Copper
HTTP, FTP,
DHCP, NTP,
TFTP, DNS
TCP, UDP
IP, ICMP, RIP
SYN Flood
ICMP Flood
Wi-Fi De-auth & Jamming
Electrical Interference
Construction Equipment
Reflection and
Amplification
(DNS, NTP, SSDP, etc),
Slowloris, SIP Flood,
Complex DB Queries
TCP/IP Model Attacks

4. 4
DDoS Attack Pattern in BD
https://radar.cloudflare.com/security/network-layer/bd?dateRange=24w

5. 5
Reflection & Amplification DDoS Attack
TR
BR
PR
Internet
Bad Actor
Spoofed source IP
Victim
BOT
Resolver
Unwanted traffic in
high volume
o Effective Reflection Attack
o UDP / Connectionless
o Spoofed Source IP
o Effective Amplification Attack
o Small request, large reply
o High BAF (next slide)

6. 6
Bandwidth Amplification Factors
Protocol BW Amp. Factor
Multicast DNS 2 - 10
BitTorrent 3.8
NetBIOS 3.8
Stream Protocol 5.5
SNMPv2 6.3
Portmap (RPCbind) 7 - 28
DNS 28 - 54
SSDP 30.8
Protocol BW Amp. Factor
LDAP 46 - 55
TFTP 60
Quake Net Protocol 63.9
RIPv1 131.24
QOTD 140.3
CHARGEN 358.8
NTP 556.9
Memcached Up to 51,000
https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks

7. 7
Same Vs Separate Router for Transit & Peering
TR
BR
IX
TR
BR
PR
IX
Facing DDoS - High
CPU, BW exhausted,
unresponsive etc.
Internet Internet
Local traffic suffers
even if IX link’s BW is
not exhausted
Local traffic is NOT heavily
affected while Transit router
deals with DDoS attacks

8. 8
Remotely Triggered Black Hole Filtering
Attack traffic
Signalling

9. 9
Static Routing – Unwanted Routing Loop
TR
BR
PR
TR
BR
PR
100.64.0.0/28
S> 0.0.0.0/0 to TR
Transit Transit
Bad Actor
S> 100.64.0.0/24 to TR
100.64.0.0/28
Routing loop
Bad Actor
Traffic to an unused subnet,
not yet covered by IGP

10. 10
Pull-up Route – Avoid Unwanted Loop
TR
BR
PR
TR
BR
PR
100.64.0.0/28
S> 0.0.0.0/0 to TR
S> 100.64.0.0/24 to NULL
Transit Transit
Bad Actor
Traffic to an unused subnet,
not yet covered by IGP
S> 100.64.0.0/24 to TR
100.64.0.0/28
Bad Actor
Drops IN packet if no
path exists
(won’t use 0.0.0.0/0)

11. 11
Mitigation for Connection Exhaustions
• Configure OS level TCP/IP stack settings
• Enable tcp_tw_reuse (Linux)
• Decrease TcpTimedWaitDelay (Windows)
• Enable SYN cookies (default on newer OSs)
• Implement an IPS and/or DDoS filtering on your NGFW
• Even if your firewall doesn’t provide DDoS protection, some IPS
services will block some types of DDoS attacks
• Implement load balancing with additional servers
• Better yet, configure auto-scaling on your servers/cloud/containers

12. 12
Additional Preparation
Keep the OS
and server
applications
updated
Private IP or
ULA in the
Backbone
Protect the
Control Plane
Rate limit NTP,
SNMP, DNS
traffic

13. Are you helping the attacker?

14. 14
Shodan’s Top Ports in BD
$ shodan search port country:BD
https://www.shodan.io/search?query=country%3ABD

15. 15
DDoS Attack Flow
https://radar.cloudflare.com/security/network-layer/bd?dateRange=24w
Target = BD Source = BD

16. 16
Port 53 - Why so many are open in BD?
Default ON
o This is called ”Open Resolver”
o Unless absolutely necessary, just
disable it
o Otherwise, use firewall filters to
allow only specific subnets
Don’t run an open resolver
MikroTik Configuration

17. 17
BGP 38 / uRPF
In-traffic sourced from:
LAN Subnet – ACCEPT
Anything else - DROP
gi0/0
100.64.1.1/24
o Prevents source IP spoofing
o Limits participating in DDoS
o Very useful - control at source’s GW
100.64.1.5/24
/ip firewall filter add action=drop
chain=forward in-interface=$interface
src-address=!192.0.2.0/24
/ipv6 firewall filter add action=drop
chain=forward in-interface=$interface
src-address=!2001:db8:1001::/48
/ip settings set rp-filter=strict

18. 18
Bogon / Martian Route Filter
TR
BR
PR
Internet
Bad Actor
Spoofed source IP
o Static - Filter to drop well-known Bogons
o Dynamic – Team Cymru Bogon Peering
TR
BR
PR
Internet
Bad Actor
Spoofed source IP
Return traffic is
blocked

19. 19
RPKI Origin Validation
17821
65550
2406:6400::/48
65551
2406:6400::/48 65551 65550 17821 i
65552
65553
2406:6400::/48
2406:6400::/48 65553 65552 i
Validator
Global
(RPKI)
Repository
RPKI-to-Router (RTR)
2406:6400::/32-48
17821
ROA
Invalid
Valid
2406:6400::/32-48
17821

20. 20
Default route: Give a thought
Why would I need DEFAULT route
if I have full BGP table!!!
If no specific route
> 0.0.0.0/0 to TR
DEFAULT to upstream
o I lose control to out-traffic
o Filters doesn’t work anymore
o BAD traffic still leaves my network
Unwanted traffic leaves to
malicious IPs using DEFAULT
TR
BR
PR
Internet
Bad Actor

21. 21
Same Vs Separate Router for Transit & Peering
TR
BR
IX
> 0.0.0.0/0 to NULL
TR
BR
PR
IX
Internet Internet

22. 22
We need a shift in thought
• “Press the button to stop DDoS” – doesn’t exist
• DDoS is difficult to stop, but we can make it expensive
• The idea is to discourage the attacker or cost them more than they
achieve
• Don’t just think as a victim, consider you’re closer to the
attacker or part of the attack
• Follow general routing security Best Current Practices

23. 23
23
Any questions?