During the Security session at APRICOT 2026, I presented on Distributed Denial-of-Service (DDoS) in Indonesia and across the world, focusing on recent statistics, year-on-year changes, and implications for operators.
The nice thing about this presentation is that I had previously presented on this topic during IDNOG 9, and the findings at the time were quite disturbing. When I was compiling the data for this version, I was optimistic that things had improved from two years ago. Was my optimism misdirected? Read on and find out!
Indonesia continues to experience some of the highest levels of DDoS activity in the Asia Pacific region. Using data from Cloudflare Radar, Shodan, and CyberGreen, this post examines what has changed since 2024, why reflection and amplification attacks remain a persistent issue, and what operators can do to reduce their exposure and avoid contributing to global attack traffic.
DDoS attacks occur across many layers in the stack, but reflection and amplification at the network and transport layers, particularly using User Datagram Protocol (UDP), remain the most damaging. UDP’s lack of connection establishment makes source address spoofing easy, and services that produce much larger responses than requests can multiply attack traffic quickly.
Operators often feel the impact of DDoS but may not recognize the role their own networks play when vulnerable services are left exposed. Benchmarking helps identify how a network compares with peers across the region and where improvements are needed.
How reflection and amplification attacks work
A reflected amplification attack (Figure 1) uses a simple pattern: An attacker spoofs the victim’s IP address, sends a small request to an open service, and the service replies with a much larger response directed at the victim. This methodology can also provide much more bang by using easy-to-find, rentable botnets. You no longer need your own farm of vulnerable hosts to replay these styles of attacks.
Many Internet-facing services can be abused in the way depicted in Figure 1, but amplification potential varies by protocol, as shown in the table below.
| Protocol | Bandwidth amplification factor |
| Multicast DNS (mDNS) | 2–10 |
| BitTorrent | 3.8 |
| NetBIOS | 3.8 |
| Steam Protocol | 5.5 |
| SNMPv2 | 6.3 |
| Portmap (RPCbind) | 7–28 |
| DNS | 28–54 |
|---|---|
| SSDP | 30.8 |
| LDAP | 46–55 |
| TFTP | 60 |
| Quake Network Protocol | 63.9 |
| RIPv1 | 131.24 |
| QOTD | 140.3 |
| CHARGEN | 358.8 |
| NTP | 556.9 |
| Memcached | up to 51,000 |
DNS, Simple Service Discovery Protocol (SSDP), Network Time Protocol (NTP), and especially Memcached remain frequent sources of reflection traffic. While operators cannot control the global landscape, they can prevent their own networks from hosting such reflectors.
Global trends
Cloudflare Radar shows that global DDoS sources shift over time, but large broadband economies consistently appear near the top. In February 2026, Singapore, China, and Indonesia all ranked in the global top five (Table 2).
| October 2023 | April 2024 | July 2024 | February 2026 | ||||
| USA | 31% | USA | 22.6% | USA | 18.8% | USA | 20.2% |
| India | 9.2% | Germany | 6.5% | Germany | 8.45% | Singapore | 5.0% |
| Germany | 5.4% | China | 5.5% | China | 7.49% | China | 4.9% |
| Brazil | 5.2% | Indonesia | 4.7% | Pakistan | 5.9% | Germany | 4.8% |
| China | 3.3% | Brazil | 4.3% | UK | 4.5% | Indonesia | 4.7% |
Table 2 — Global DDoS source economies (2023–2026). Source 1, 2.
Mirai-derived botnets continue to contribute significantly. In 2024, Mirai was a minor portion of traffic; by early 2026, it accounted for around 10% (Figures 2 and 3).
Indonesia: What the data shows
Indonesia’s largest networks continue to contribute the largest share of attack traffic (Tables 3 and 4). This is expected, as larger address spaces produce more opportunities for misconfigured or compromised devices.
| # | ASN | Network | % |
| 1 | 7713 | TELKOMNET-AS-AP PT Telekomunikasi Indonesia | 12.0% |
| 2 | 17451 | BIZNET-AS-AP BIZNET NETWORKS | 3.4% |
| 3 | 23693 | TELKOMSEL-ASN-ID PT. Telekomunikasi Selular | 2.5% |
| 4 | 4761 | INDOSAT-INP-AP INDOSAT Internet Network Provider | 2.2% |
| 5 | 38511 | TACHYON-AS-ID PT Remala Abadi | 2.1% |
| # | ASN | Network | % |
| 1 | 7713 | TELKOMNET-AS-AP PT Telekomunikasi Indonesia | 8.0% |
| 2 | 23693 | TELKOMSEL-ASN-ID PT. Telekomunikasi Selular | 3.7% |
| 3 | 4761 | INDOSAT-INP-AP INDOSAT Internet Network Provider | 3.6% |
| 4 | 17451 | BIZNET-AS-AP BIZNET NETWORKS | 2.3% |
| 5 | AS58821 | IDNIC-LJN-AS-ID PT Lintas Jaringan Nusantara | 2.2% |
Attack types
In 2024 (Figure 4), attack types in Indonesia were dominated by DNS amplification, UDP fragmentation, and SYN flooding. By 2026 (Figure 5), the profile had shifted:
- UDP flooding became dominant
- DNS amplification declined
- Mirai traffic increased
- SNMP-based floods appeared more frequently
The presence of SNMP floods is important because open SNMP daemons not only amplify traffic but also allow attackers to explore network topology.
Open services and exposed devices
Shodan data reveals several significant changes.
| Service | August 2024 | February 2026 |
| DNS | 103,367 | 99,357 |
| NTP | 66,532 | 73,814 |
| SSDP | 556 | 634 |
| Memcached | 705 | 559 |
| Telnet | 15,838 | 10,186 |
| SNMP | 93,126 | 81,205 |
| Winbox | 73,809 | 56,182 |
Based on this data, we can observe that:
- Open recursive DNS resolvers dropped from ~103,000 to ~99,000
- NTP increased
- SSDP increased
- Memcached declined (thankfully)
- Telnet declined but remains insecure
- SNMP reduced but remains substantial
- Winbox exposure fell significantly (likely due to RouterOS 7 deployments)
Older MikroTik RouterOS versions enabled DNS on Wide Area Network (WAN) interfaces by default. Although fixes have existed for some time, legacy firewall rules often persisted after upgrades. Recent adoption of RouterOS 7 appears to have reduced exposure levels.
Mitigation strategies
Preventing your network from attacking others
Reflection and amplification attacks depend on unsecured and misconfigured services. Even if your customers do not report any issues, your network may still be used as a vector to attack others. Reducing this unwanted traffic strengthens the wider ecosystem and improves the reputation of your network.
Ratelimiting and monitoring high-risk protocols such as DNS, NTP, SNMP, and SSDP prevents these services from responding to excessive traffic. Legitimate request volumes for these protocols tend to be predictable; spikes often indicate scanning or abuse.
BCP 38 (Source Address Validation) remains one of the most important measures. By ensuring outbound traffic uses only valid source addresses, operators prevent spoofed packets from leaving their networks. This removes the raw material attackers need to perform reflection attacks.
Residential networks deserve particular attention. Many reflectors are located behind low-cost consumer routers that ship with unsafe defaults. Operators can apply boundary filtering on their residential IP blocks to prevent residential IPs from receiving requests on ports such as 53, 123, 161, and 1900 unless needed. This practice is common in many economies and reduces reflection capacity dramatically.
Recursive DNS resolvers should be limited to authorized IP ranges. If a resolver is intended for internal use, it must not answer public queries. Public recursive services can be delegated to large global DNS operators.
Networks known for emitting spoofed or reflective traffic often face filtering or de-preferencing by peers. Good outbound hygiene, therefore, improves reachability for legitimate users.
Protecting your services from attack
DDoS attacks are increasingly multi-vector, targeting not only bandwidth but also CPU, memory, and control fIPplane resources. Even modest-sized attacks can overwhelm routers or congest under-provisioned aggregation paths.
Effective protection starts with understanding where key services sit in your network and how easily they can be overwhelmed. Anycast deployments spread traffic across multiple sites and increase overall capacity to absorb bursts. Intrusion Prevention Systems (IPS) and DDoS protection systems can detect unusual flows early and apply filters automatically, reducing the window in which attacks cause disruption.
BGP Flowspec is becoming more common among operators because it provides centralized, fine-grained filtering without requiring per-device configuration. The ability to classify and drop (or ratelimit) specific traffic patterns quickly is especially valuable during fast-moving attacks.
Architecture also plays an important role. Many small and medium-sized operators use collapsed core network designs, which place forwarding, control, and customer traffic on the same devices. This increases the risk that a single attack cascades across the network. Segmenting management, customer, and core traffic and introducing isolation points improves operational resilience.
Protecting your own services is not only about reducing downtime; it also reduces the risk that an attack on you affects upstream providers or cascades through your peering ecosystem.
Advanced mitigation: RTBH, uRPF, and sRTBH
Remote Triggered Blackholing (RTBH) (Figure 6), combined with loose-mode Unicast Reverse Path Forwarding (uRPF) (Figure 7), allows operators to discard attack traffic close to the source.
Source-based RTBH (sRTBH) uses uRPF to drop packets whose source does not appear in the routing table, isolating malicious hosts without affecting legitimate traffic. When coordinated with upstream providers, these methods provide a scalable way to control attacks.
Conclusion
Indonesia has made progress reducing some exposures — notably Winbox and DNS — but other services such as NTP, SSDP, and SNMP remain widely open. Attack patterns continue to shift, with Mirai variants now more prominent than in earlier years.
Effective DDoS mitigation requires operators to secure both inbound and outbound paths. By adopting best practices, modernizing customer equipment, filtering high-risk ports, and deploying BCP 38, Indonesian operators can reduce their contribution to global reflection attacks and improve security and stability for their users.
Watch Dave’s APRICOT 2026 presentation or view the slides.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.