[187551] in North American Network Operators' Group
UDP Amplification DDoS - Help!
daemon@ATHENA.MIT.EDU (Mitch Dyer)
Mon Feb 8 21:26:37 2016
X-Original-To: nanog@nanog.org
From: Mitch Dyer <mdyer@development-group.net>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Mon, 8 Feb 2016 23:14:06 +0000
Errors-To: nanog-bounces@nanog.org
Hello,
Hoping someone can point me in the right direction here, even just confirmi=
ng my suspicions would be incredibly helpful.
A little bit of background: I have a customer I'm working with that is down=
stream of a 1Gb link that is experiencing multiple DDoS attacks on a daily =
basis. Through several captures I've seen what appear to be a mixture of SS=
DP and DNS amplification attacks (though not at the same time). The attack =
itself seems to target the PAT address associated with a specific site, if =
we change the PAT address for the site, the attack targets the new address =
at the next occurance. We've tried setting up captures and logging inside t=
he network to determine if the SSDP/DNS request originate within the networ=
k but that does not appear to be the case.
We've reached out for some assistance from the upstream carrier but they've=
only been able to enforce a 24-hour block.
I'm hoping someone with some experience on this topic would be able to shed=
some light on a better way to attack this or would be willing to confirm t=
hat we are simply SOL without prolonged assistance from the upstream carrie=
r.
Thanks in advance for any insight.
Mitch
