In this webinar, we were discussing about Distributed Denial Of Service (DDOS) attack, and how to deal with it. we discussed several features on mikrotik RouterOS that can be used as intrusion detection, firewall, and blackhole route.
the recording is available on youtube (GLC NETWORKS CHANNEL): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
3. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● An Indonesian company
● Located in Bandung
● Areas: Training, IT Consulting
● Mikrotik Certified Training Partner
● Mikrotik Certified Consultant
● Mikrotik distributor
3
4. www.glcnetworks.com
About GLC webinar?
● First webinar: january 1, 2010 (title:
tahun baru bersama solaris - new
year with solaris OS)
● As a sharing event with various
topics: linux, networking, wireless,
database, programming, etc
● Regular schedule: every 2 weeks
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/main/sc
hedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge,
experiences, information
4
5. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since 1999
● Mikrotik user since 2007
● Certified Trainer (MTCNA/RE/WE/UME/INE/TCE)
● Mikrotik Certified Consultant
● Work: Telco engineer, Sysadmin, PHP programmer,
and Lecturer
● Personal website: http://achmadjournal.com
● More info:
http://au.linkedin.com/in/achmadmardiansyah
5
8. www.glcnetworks.com
What are mikrotik products?
● Router OS
○ The OS. Specialized for networking
○ Website: www.mikrotik.com/download
● RouterBoard
○ The hardware
○ RouterOS installed
○ Website: www.routerboard.com
8
9. www.glcnetworks.com
What Router OS can do?
● Go to www.mikrotik.com
○ Download: what_is_routeros.pdf
○ Download: product catalog
○ Download: newsletter
9
12. www.glcnetworks.com
What is DOS (Denial Of Service)?
● DOS is a condition where a server cannot provide its service
● Some reasons:
○ Too many incoming request (very common reason) -> server busy -> server reject incoming
request (denial)
○ Wrong configuration on server
● Common target server
○ Web server
○ FTP server
○ DNS server
○ Remote access (telnet, ssh)
● What if the request is real?
○ Popular website vs DOS?
12
13. www.glcnetworks.com
How do a DOS happen?
● An update is relased -> normal
● Sudden event (news site effect) -> normal
● Rush hour -> normal
● When its close to a deadline -> normal
● Attacker setup a computer that generates lots of request to a target and keep
doing it until server is very busy -> this is not normal
13
14. www.glcnetworks.com
Why do people do DOS?
● Business competition
● Show off
● For fun
● Attract attention
● Hiding other facts
● Diversion of public attention
● Etc… you name it
14
15. www.glcnetworks.com
What is DDOS (Distributed DOS)?
● DDOS means the DOS attack that is
distributed to many computers
● Many (compromised) computers doing
DOS, attacking same target
● The DDOS traffic can go more than
hundreds mbps
15
16. www.glcnetworks.com
How do i know its a DDOS?
● From your monitoring system (very
common)
● Server log
● Report from users
● etc..
16
18. www.glcnetworks.com
DDOS mitigation
18
● Passive
○ Setup intrusion detection in front of servers to detect an attack
○ Setup firewall in front of the servers which can suppress incoming traffic
○ Applying blackhole on router
● Active
○ Do coordination with CERT (Cyber Emergency Response Team)
○ Inform the origin ISP that one of its IP address is doing attack
19. www.glcnetworks.com
What mikrotik can do?
Mikrotik can be used for:
● Intrusion detection. Using firewall features: connection limit
● Firewall: recommended to use RAW table. See Firewall RAW presentation on
MUM London 2016
● Blackhole: using blackhole feature on router
19
20. www.glcnetworks.com
Mikrotik for Intrusion
detection (mangle)
● Connection limit
● Limit (match when limit is not exceeded)
● Destination limit ( match when given rate
is exceeded)
● PSD (port scan detection)
● Use address list feature to list the IP
address of attacker
20
25. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Like our facebook page: “GLC networks”
● Slide: http://www.slideshare.net/r41nbuw
● Recording: https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
● Stay tune with our schedule
25