ONNETBD IT Back to Articles
Security & ISP

How ISPs Detect & Prevent DDoS Attacks

DDoS attacks can instantly saturate your upstream links, crash routers and disconnect hundreds of customers. Here’s a practical ISP-focused approach for detecting and mitigating them.

For small and mid-sized ISPs, a serious DDoS attack is not just a technical issue—it’s a business risk. Customers blame you, not the attacker. That’s why early detection and layered defense are critical.

1. Understand What a DDoS Attack Looks Like

A DDoS (Distributed Denial of Service) attack usually shows up as:

  • Sudden spike in traffic on a specific interface or IP range
  • Unusual packets per second (PPS) increase, even if Mbps looks normal
  • Router CPU going very high, many firewall connections, high conn-track
  • Some customers or whole areas losing connectivity

2. Build a Baseline of “Normal” Traffic

You can’t detect abnormal traffic if you don’t know what is normal. Use monitoring tools to log:

  • Average Mbps and PPS for each upstream and core interface
  • Daily and weekly patterns (peak vs off-peak)
  • Top ports and protocols used by your customers

Once you know normal patterns, anomalies become easier to detect by eye or via alerts.

3. Use NetFlow or Traffic Sampling

Enabling traffic sampling (NetFlow/IPFIX/sflow) towards a collector lets you see:

  • Which IPs are attacking (source/destination)
  • Which ports and protocols are used
  • Which customers are being targeted

Even if you don’t use full NetFlow, simple firewall rules and logging can help identify targets.

4. MikroTik Filters & SafeKit Style Rules

On MikroTik, you can use firewall filters and connection limits to drop obvious attack traffic:

  • Limit SYN packets per second from a single IP
  • Drop invalid connections early
  • Block known attack patterns (e.g. UDP floods on specific ports)

A DDoS SafeKit-style ruleset combines multiple techniques:

  • Rate limiting for new connections
  • Firewalls near the edge (close to upstream)
  • Separating customer traffic from infrastructure IPs

5. Work with Your Upstream Provider

If the attack is large, your own router can’t handle it alone. You will need:

  • Blackhole routing / RTBH from upstream
  • Scrubbing services or cloud-based mitigation
  • Clear escalation process with your NOC and upstream NOC

Having pre-agreed procedures is better than waiting for the big attack day.

6. Alerts, Dashboards & Incident Playbooks

Strong monitoring is essential. Your portal should:

  • Send SMS/Telegram alerts on abnormal traffic spikes
  • Show per-interface and per-IP graphs during the incident
  • Log events for post-mortem analysis

Create a simple runbook: what your NOC team must check in the first 5–10 minutes of a suspected attack.

How OnnetBD IT Supports ISPs

We help ISPs implement:

  • Monitoring dashboards for traffic, PPS and DDoS events
  • SafeKit-style MikroTik firewall templates
  • Integration between monitoring, alerts and NOC processes

👉 Want help designing a DDoS-aware ISP network? Explore our ISP services or request a consultation.