[187560] in North American Network Operators' Group
Re: UDP Amplification DDoS - Help!
daemon@ATHENA.MIT.EDU (Karsten Elfenbein)
Tue Feb 9 05:29:30 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <10e6b56b34b74f7a86cc7117555de973@AWS-EX01.devgru.local>
From: Karsten Elfenbein <karsten.elfenbein@gmail.com>
Date: Tue, 9 Feb 2016 11:29:07 +0100
To: Mitch Dyer <mdyer@development-group.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
You could use multiple PAT addresses to find the source of information
for the attacker and to reduce the impact by filtering/QOS.
TCP connections PAT IP1 (block UDP before going to the 1G line)
UDP connections PAT IP2
webservers connecting to api hosts - PAT IP3
webservers remaining connections - PAT IP4
Karsten
2016-02-09 0:14 GMT+01:00 Mitch Dyer <mdyer@development-group.net>:
> Hello,
>
> Hoping someone can point me in the right direction here, even just confir=
ming my suspicions would be incredibly helpful.
>
> A little bit of background: I have a customer I'm working with that is do=
wnstream of a 1Gb link that is experiencing multiple DDoS attacks on a dail=
y basis. Through several captures I've seen what appear to be a mixture of =
SSDP and DNS amplification attacks (though not at the same time). The attac=
k itself seems to target the PAT address associated with a specific site, i=
f we change the PAT address for the site, the attack targets the new addres=
s at the next occurance. We've tried setting up captures and logging inside=
the network to determine if the SSDP/DNS request originate within the netw=
ork but that does not appear to be the case.
>
> We've reached out for some assistance from the upstream carrier but they'=
ve only been able to enforce a 24-hour block.
>
> I'm hoping someone with some experience on this topic would be able to sh=
ed some light on a better way to attack this or would be willing to confirm=
that we are simply SOL without prolonged assistance from the upstream carr=
ier.
>
> Thanks in advance for any insight.
>
> Mitch
>
