Fighting DDOS attack

with

GLC webinar, 6 april 2017

Achmad Mardiansyah
achmad@glcnetworks.com
GLC Networks, Indonesia
www.glcnetworks.com 1
Agenda

● Introduction
● DDOS attack
● Mitigation
● Demo
● Q&A

www.glcnetworks.com 2
What is GLC?

● Garda Lintas Cakrawala (www.glcnetworks.com)

● An Indonesian company
● Located in Bandung
● Areas: Training, IT Consulting
● Mikrotik Certified Training Partner
● Mikrotik Certified Consultant
● Mikrotik distributor

www.glcnetworks.com 3
About GLC webinar?

● First webinar: january 1, 2010 (title:

tahun baru bersama solaris - new
year with solaris OS)
● As a sharing event with various
topics: linux, networking, wireless,
database, programming, etc
● Regular schedule: every 2 weeks
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/main/sc
hedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge,
experiences, information

www.glcnetworks.com 4
Trainer Introduction

● Name: Achmad Mardiansyah

● Base: bandung, Indonesia
● Linux user since 1999
● Mikrotik user since 2007
● Certified Trainer (MTCNA/RE/WE/UME/INE/TCE)
● Mikrotik Certified Consultant
● Work: Telco engineer, Sysadmin, PHP programmer,
and Lecturer
● Personal website: http://achmadjournal.com
● More info:
http://au.linkedin.com/in/achmadmardiansyah

www.glcnetworks.com 5
Please introduce yourself

● Your name
● Your company/university?
● Your networking experience?
● Your mikrotik experience?
● Your expectation from this course?

www.glcnetworks.com 6
What is Mikrotik?

● Name of a company
● A brand
● A program (e.g. mikrotik academy)
● Headquarter: Riga, Latvia

www.glcnetworks.com 7
What are mikrotik products?

● Router OS
○ The OS. Specialized for networking
○ Website: www.mikrotik.com/download
● RouterBoard
○ The hardware
○ RouterOS installed
○ Website: www.routerboard.com

www.glcnetworks.com 8
What Router OS can do?

● Go to www.mikrotik.com
○ Download: what_is_routeros.pdf
○ Download: product catalog
○ Download: newsletter

www.glcnetworks.com 9
What are Mikrotik training & certifications?

Certificate validity is 3 years

www.glcnetworks.com 10
DOS (Denial Of Service)

www.glcnetworks.com 11
What is DOS (Denial Of Service)?

● DOS is a condition where a server cannot provide its service

● Some reasons:
○ Too many incoming request (very common reason) -> server busy -> server reject incoming
request (denial)
○ Wrong configuration on server
● Common target server
○ Web server
○ FTP server
○ DNS server
○ Remote access (telnet, ssh)
● What if the request is real?
○ Popular website vs DOS?

www.glcnetworks.com 12
How do a DOS happen?

● An update is relased -> normal

● Sudden event (news site effect) -> normal
● Rush hour -> normal
● When its close to a deadline -> normal
● Attacker setup a computer that generates lots of request to a target and keep
doing it until server is very busy -> this is not normal

www.glcnetworks.com 13
Why do people do DOS?

● Business competition
● Show off
● For fun
● Attract attention
● Hiding other facts
● Diversion of public attention
● Etc… you name it

www.glcnetworks.com 14
What is DDOS (Distributed DOS)?

● DDOS means the DOS attack that is

distributed to many computers
● Many (compromised) computers doing
DOS, attacking same target
● The DDOS traffic can go more than
hundreds mbps

www.glcnetworks.com 15
How do i know its a DDOS?

● From your monitoring system (very

common)
● Server log
● Report from users
● etc..

www.glcnetworks.com 16
Mitigation

www.glcnetworks.com 17
DDOS mitigation

● Passive
○ Setup intrusion detection in front of servers to detect an attack
○ Setup firewall in front of the servers which can suppress incoming traffic
○ Applying blackhole on router
● Active
○ Do coordination with CERT (Cyber Emergency Response Team)
○ Inform the origin ISP that one of its IP address is doing attack

www.glcnetworks.com 18
What mikrotik can do?

Mikrotik can be used for:

● Intrusion detection. Using firewall features: connection limit

● Firewall: recommended to use RAW table. See Firewall RAW presentation on
MUM London 2016
● Blackhole: using blackhole feature on router

www.glcnetworks.com 19
Mikrotik for Intrusion
detection (mangle)
● Connection limit
● Limit (match when limit is not exceeded)
● Destination limit ( match when given rate
is exceeded)
● PSD (port scan detection)
● Use address list feature to list the IP
address of attacker

www.glcnetworks.com 20
Mikrotik for firewall

● Use RAW table with prerouting chain

● RAW table can save your CPU
●

www.glcnetworks.com 21
Mikrotik for blackhole

● Using blackhole feature in routing

table

www.glcnetworks.com 22
 QA

www.glcnetworks.com 23
Interested?
Just come to our
training...
Special price for webinar
attendees…

http://www.glcnetworks.c
om/main/schedule

www.glcnetworks.com 24
End of slides

● Thank you for your attention

● Please submit your feedback: http://bit.ly/glcfeedback
● Like our facebook page: “GLC networks”
● Slide: http://www.slideshare.net/r41nbuw
● Recording: https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
● Stay tune with our schedule

www.glcnetworks.com 25