In this webinar, we were discussing about Distributed Denial Of Service (DDOS) attack, and how to deal with it. we discussed several features on mikrotik RouterOS that can be used as intrusion detection, firewall, and blackhole route.
the recording is available on youtube (GLC NETWORKS CHANNEL): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● An Indonesian company
● Located in Bandung
● Areas: Training, IT Consulting
● Mikrotik Certified Training Partner
● Mikrotik Certified Consultant
● Mikrotik distributor
About GLC webinar?
● First webinar: january 1, 2010 (title:
tahun baru bersama solaris - new
year with solaris OS)
● As a sharing event with various
topics: linux, networking, wireless,
database, programming, etc
● Regular schedule: every 2 weeks
● Irregular schedule: as needed
● Checking schedule:
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge,
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since 1999
● Mikrotik user since 2007
● Certified Trainer (MTCNA/RE/WE/UME/INE/TCE)
● Mikrotik Certified Consultant
● Work: Telco engineer, Sysadmin, PHP programmer,
● Personal website: http://achmadjournal.com
● More info:
Please introduce yourself
● Your name
● Your company/university?
● Your networking experience?
● Your mikrotik experience?
● Your expectation from this course?
What is Mikrotik?
● Name of a company
● A brand
● A program (e.g. mikrotik academy)
● Headquarter: Riga, Latvia
What are mikrotik products?
● Router OS
○ The OS. Specialized for networking
○ Website: www.mikrotik.com/download
○ The hardware
○ RouterOS installed
○ Website: www.routerboard.com
What Router OS can do?
● Go to www.mikrotik.com
○ Download: what_is_routeros.pdf
○ Download: product catalog
○ Download: newsletter
What are Mikrotik training & certifications?
Certificate validity is 3 years
DOS (Denial Of Service)
What is DOS (Denial Of Service)?
● DOS is a condition where a server cannot provide its service
● Some reasons:
○ Too many incoming request (very common reason) -> server busy -> server reject incoming
○ Wrong configuration on server
● Common target server
○ Web server
○ FTP server
○ DNS server
○ Remote access (telnet, ssh)
● What if the request is real?
○ Popular website vs DOS?
How do a DOS happen?
● An update is relased -> normal
● Sudden event (news site effect) -> normal
● Rush hour -> normal
● When its close to a deadline -> normal
● Attacker setup a computer that generates lots of request to a target and keep
doing it until server is very busy -> this is not normal
Why do people do DOS?
● Business competition
● Show off
● For fun
● Attract attention
● Hiding other facts
● Diversion of public attention
● Etc… you name it
What is DDOS (Distributed DOS)?
● DDOS means the DOS attack that is
distributed to many computers
● Many (compromised) computers doing
DOS, attacking same target
● The DDOS traffic can go more than
How do i know its a DDOS?
● From your monitoring system (very
● Server log
● Report from users
○ Setup intrusion detection in front of servers to detect an attack
○ Setup firewall in front of the servers which can suppress incoming traffic
○ Applying blackhole on router
○ Do coordination with CERT (Cyber Emergency Response Team)
○ Inform the origin ISP that one of its IP address is doing attack
What mikrotik can do?
Mikrotik can be used for:
● Intrusion detection. Using firewall features: connection limit
● Firewall: recommended to use RAW table. See Firewall RAW presentation on
MUM London 2016
● Blackhole: using blackhole feature on router
Mikrotik for Intrusion
● Connection limit
● Limit (match when limit is not exceeded)
● Destination limit ( match when given rate
● PSD (port scan detection)
● Use address list feature to list the IP
address of attacker
Mikrotik for firewall
● Use RAW table with prerouting chain
● RAW table can save your CPU
Mikrotik for blackhole
● Using blackhole feature in routing
Just come to our
Special price for webinar
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Like our facebook page: “GLC networks”
● Slide: http://www.slideshare.net/r41nbuw
● Recording: https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
● Stay tune with our schedule