in this GLC webinar, we are discussing about how to detect networking virus using mikrotik. the topics starts from what the virus is, how it works, and then what routerOS can do to deal with them.
3. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● An Indonesian company
● Located in Bandung
● Areas: Training, IT Consulting
● Mikrotik Certified Training Partner
● Mikrotik Certified Consultant
● Mikrotik distributor
3
4. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since ’99
● Certified Trainer (MTCNA/RE/WE/UME/INE/TCE)
● Mikrotik Certified Consultant
● Work: Telco engineer, Sysadmin, PHP programmer,
and Lecturer
● Personal website: http://achmad.glcnetworks.com
● More info:
http://au.linkedin.com/in/achmadmardiansyah
4
7. www.glcnetworks.com
What are mikrotik products?
● Router OS
○ The OS. Specialized for networking
○ Website: www.mikrotik.com/download
● RouterBoard
○ The hardware
○ RouterOS installed
○ Website: www.routerboard.com
7
8. www.glcnetworks.com
What Router OS can do?
● Go to www.mikrotik.com
○ Download: what_is_routeros.pdf
○ Download: product catalog
○ Download: newsletter
8
11. www.glcnetworks.com
What is virus, worms, trojan horse?
Virus
● A self-replicating program. Often Viruses require a host, and their goal is to
infect other files so that the virus can live longer.
● Nothing to do with biological virus!!
Worms
● Worms are insidious because they rely less (or not at all) upon human
behavior in order to spread themselves from one computer to others.
Trojan Horses
● A Trojan Horse is a one which pretend to be useful programs but do some
unwanted action.
12. www.glcnetworks.com
Virus characteristic
● Very small size
● Versatile: available for many application
● Propagation: able to infect to other software, to other computer
● Can cause catastrophic effects: data loss, slow processing, botnet
● Persistence: able to reoccur through replication
16. www.glcnetworks.com
Virus identification
● Host based (need to install antivirus software on host)
○ Signature based
○ heuristic
● Network based (analysing traffic that flows through devices)
○ Using protocol analyser
○ IDS (intrusion detection system)
■ Use signature based
■ Use heuristics
■ Using anomaly analytics
○ Devices:
■ Hub
■ Switch -> port mirrorring
■ Router -> activate sniff feature
18. www.glcnetworks.com
On routeros...
● limit outgoing sync rate for SMTP
● drop/limit outgoing SMB/CIFS port: 135-139, 445
● Identify src-ip-addr that send high number of connection -> use src-addr-list
● Apply limit / conn-limit
● use tarpit / drop / reject
● redirect customer to a webpage
● setup whitelist
● run torch
● Run sniffer and send the traffic to protocol analyser software
○ Snort
○ Sourcefire
○ Wireshark
○ etc
24. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Like our facebook page: “GLC networks”
● Stay tune with our schedule