Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Fighting DDOS attack with mikrotik

In this webinar, we were discussing about Distributed Denial Of Service (DDOS) attack, and how to deal with it. we discussed several features on mikrotik RouterOS that can be used as intrusion detection, firewall, and blackhole route.

the recording is available on youtube (GLC NETWORKS CHANNEL): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg

  • Login to see the comments

Fighting DDOS attack with mikrotik

  1. 1. www.glcnetworks.com Fighting DDOS attack with GLC webinar, 6 april 2017 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia 1
  2. 2. www.glcnetworks.com Agenda ● Introduction ● DDOS attack ● Mitigation ● Demo ● Q & A 2
  3. 3. www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● An Indonesian company ● Located in Bandung ● Areas: Training, IT Consulting ● Mikrotik Certified Training Partner ● Mikrotik Certified Consultant ● Mikrotik distributor 3
  4. 4. www.glcnetworks.com About GLC webinar? ● First webinar: january 1, 2010 (title: tahun baru bersama solaris - new year with solaris OS) ● As a sharing event with various topics: linux, networking, wireless, database, programming, etc ● Regular schedule: every 2 weeks ● Irregular schedule: as needed ● Checking schedule: http://www.glcnetworks.com/main/sc hedule ● You are invited to be a presenter ○ No need to be an expert ○ This is a forum for sharing: knowledge, experiences, information 4
  5. 5. www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999 ● Mikrotik user since 2007 ● Certified Trainer (MTCNA/RE/WE/UME/INE/TCE) ● Mikrotik Certified Consultant ● Work: Telco engineer, Sysadmin, PHP programmer, and Lecturer ● Personal website: http://achmadjournal.com ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
  6. 6. www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 6
  7. 7. www.glcnetworks.com What is Mikrotik? ● Name of a company ● A brand ● A program (e.g. mikrotik academy) ● Headquarter: Riga, Latvia 7
  8. 8. www.glcnetworks.com What are mikrotik products? ● Router OS ○ The OS. Specialized for networking ○ Website: www.mikrotik.com/download ● RouterBoard ○ The hardware ○ RouterOS installed ○ Website: www.routerboard.com 8
  9. 9. www.glcnetworks.com What Router OS can do? ● Go to www.mikrotik.com ○ Download: what_is_routeros.pdf ○ Download: product catalog ○ Download: newsletter 9
  10. 10. www.glcnetworks.com What are Mikrotik training & certifications? 10 Certificate validity is 3 years
  11. 11. www.glcnetworks.com DOS (Denial Of Service) 11
  12. 12. www.glcnetworks.com What is DOS (Denial Of Service)? ● DOS is a condition where a server cannot provide its service ● Some reasons: ○ Too many incoming request (very common reason) -> server busy -> server reject incoming request (denial) ○ Wrong configuration on server ● Common target server ○ Web server ○ FTP server ○ DNS server ○ Remote access (telnet, ssh) ● What if the request is real? ○ Popular website vs DOS? 12
  13. 13. www.glcnetworks.com How do a DOS happen? ● An update is relased -> normal ● Sudden event (news site effect) -> normal ● Rush hour -> normal ● When its close to a deadline -> normal ● Attacker setup a computer that generates lots of request to a target and keep doing it until server is very busy -> this is not normal 13
  14. 14. www.glcnetworks.com Why do people do DOS? ● Business competition ● Show off ● For fun ● Attract attention ● Hiding other facts ● Diversion of public attention ● Etc… you name it 14
  15. 15. www.glcnetworks.com What is DDOS (Distributed DOS)? ● DDOS means the DOS attack that is distributed to many computers ● Many (compromised) computers doing DOS, attacking same target ● The DDOS traffic can go more than hundreds mbps 15
  16. 16. www.glcnetworks.com How do i know its a DDOS? ● From your monitoring system (very common) ● Server log ● Report from users ● etc.. 16
  17. 17. www.glcnetworks.com Mitigation 17
  18. 18. www.glcnetworks.com DDOS mitigation 18 ● Passive ○ Setup intrusion detection in front of servers to detect an attack ○ Setup firewall in front of the servers which can suppress incoming traffic ○ Applying blackhole on router ● Active ○ Do coordination with CERT (Cyber Emergency Response Team) ○ Inform the origin ISP that one of its IP address is doing attack
  19. 19. www.glcnetworks.com What mikrotik can do? Mikrotik can be used for: ● Intrusion detection. Using firewall features: connection limit ● Firewall: recommended to use RAW table. See Firewall RAW presentation on MUM London 2016 ● Blackhole: using blackhole feature on router 19
  20. 20. www.glcnetworks.com Mikrotik for Intrusion detection (mangle) ● Connection limit ● Limit (match when limit is not exceeded) ● Destination limit ( match when given rate is exceeded) ● PSD (port scan detection) ● Use address list feature to list the IP address of attacker 20
  21. 21. www.glcnetworks.com Mikrotik for firewall ● Use RAW table with prerouting chain ● RAW table can save your CPU ● 21
  22. 22. www.glcnetworks.com Mikrotik for blackhole ● Using blackhole feature in routing table 22
  23. 23. www.glcnetworks.com QA 23
  24. 24. www.glcnetworks.com Interested? Just come to our training... Special price for webinar attendees… http://www.glcnetworks.c om/main/schedule 24
  25. 25. www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Like our facebook page: “GLC networks” ● Slide: http://www.slideshare.net/r41nbuw ● Recording: https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg ● Stay tune with our schedule 25

×