[187554] in North American Network Operators' Group
Re: UDP Amplification DDoS - Help!
daemon@ATHENA.MIT.EDU (Faisal Imtiaz)
Mon Feb 8 21:56:49 2016
X-Original-To: nanog@nanog.org
Date: Tue, 9 Feb 2016 02:55:58 +0000 (GMT)
From: Faisal Imtiaz <faisal@snappytelecom.net>
To: Mitch Dyer <mdyer@development-group.net>
In-Reply-To: <10e6b56b34b74f7a86cc7117555de973@AWS-EX01.devgru.local>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Not quite sure what kind of info / confirmation you are looking for...
There are lots of articles (do a google search) on this topic as well as mitigation ...
e.g.
http://blog.nexusguard.com/ssdp-ddos-attacks/
&
https://tools.ietf.org/html/bcp38
Regards
Faisal Imtiaz
Snappy Internet & Telecom
----- Original Message -----
> From: "Mitch Dyer" <mdyer@development-group.net>
> To: "nanog list" <nanog@nanog.org>
> Sent: Monday, February 8, 2016 6:14:06 PM
> Subject: UDP Amplification DDoS - Help!
> Hello,
>
> Hoping someone can point me in the right direction here, even just confirming my
> suspicions would be incredibly helpful.
>
> A little bit of background: I have a customer I'm working with that is
> downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily
> basis. Through several captures I've seen what appear to be a mixture of SSDP
> and DNS amplification attacks (though not at the same time). The attack itself
> seems to target the PAT address associated with a specific site, if we change
> the PAT address for the site, the attack targets the new address at the next
> occurance. We've tried setting up captures and logging inside the network to
> determine if the SSDP/DNS request originate within the network but that does
> not appear to be the case.
>
> We've reached out for some assistance from the upstream carrier but they've only
> been able to enforce a 24-hour block.
>
> I'm hoping someone with some experience on this topic would be able to shed some
> light on a better way to attack this or would be willing to confirm that we are
> simply SOL without prolonged assistance from the upstream carrier.
>
> Thanks in advance for any insight.
>
> Mitch
