[187552] in North American Network Operators' Group
Re: UDP Amplification DDoS - Help!
daemon@ATHENA.MIT.EDU (mike.lyon@gmail.com)
Mon Feb 8 21:50:56 2016
X-Original-To: nanog@nanog.org
From: mike.lyon@gmail.com
In-Reply-To: <10e6b56b34b74f7a86cc7117555de973@AWS-EX01.devgru.local>
Date: Mon, 8 Feb 2016 18:50:51 -0800
To: Mitch Dyer <mdyer@development-group.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Oodles of devices downstream of the 1G? Does the 1G terminate into a router o=
r firewall?
Sounds like there is a compromised host downstream of the 1G that is reporti=
ng back it's source IP and that is why changing the IP doesn't help.
If you look at the PAT table, any oddities?
Good luck!
-Mike
> On Feb 8, 2016, at 15:14, Mitch Dyer <mdyer@development-group.net> wrote:
>=20
> Hello,
>=20
> Hoping someone can point me in the right direction here, even just confirm=
ing my suspicions would be incredibly helpful.
>=20
> A little bit of background: I have a customer I'm working with that is dow=
nstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily b=
asis. Through several captures I've seen what appear to be a mixture of SSDP=
and DNS amplification attacks (though not at the same time). The attack its=
elf seems to target the PAT address associated with a specific site, if we c=
hange the PAT address for the site, the attack targets the new address at th=
e next occurance. We've tried setting up captures and logging inside the net=
work to determine if the SSDP/DNS request originate within the network but t=
hat does not appear to be the case.
>=20
> We've reached out for some assistance from the upstream carrier but they'v=
e only been able to enforce a 24-hour block.
>=20
> I'm hoping someone with some experience on this topic would be able to she=
d some light on a better way to attack this or would be willing to confirm t=
hat we are simply SOL without prolonged assistance from the upstream carrier=
.
>=20
> Thanks in advance for any insight.
>=20
> Mitch
>=20
