-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pete Templin wrote:
One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards don't seem to be doing a proper job of that, unfortunately. The attack is a solid 300% more pps than our aggregate traffic levels.
It's coming in via 6461, but they don't appear to have any ability to backtrack it. Their only offer is to blackhole the destination until the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has little if any information publicly visible.
Any pointers on what to do next?
If it's all coming from that single IP 88.191.63.28, just request that your upstream block it. Usually if you explain the situation to them they'll oblige. Otherwise you'll want to look at mitigation gear (Toplayer, Cisco, etc) there are loads out there or you can look into a DDoS mitigation service. The Contacts I can see for that ASN are role: Technical Contact for ProXad address: Free SAS / ProXad address: 8, rue de la Ville L'Eveque address: 75008 Paris phone: +33 1 73 50 20 00 fax-no: +33 1 73 92 25 69 remarks: trouble: Information: http://www.proxad.net/ remarks: trouble: Spam/Abuse requests: mailto:abuse@proxad.net admin-c: RA999-RIPE tech-c: FG4214-RIPE nic-hdl: TCP8-RIPE mnt-by: PROXAD-MNT source: RIPE # Filtered abuse-mailbox: abuse@proxad.net Hope that helps! - --J -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkktKf8ACgkQETh+0NgvOtF+IgCdFE4TD885Ot9d97b+Dhenmrn8 oVYAniR3qua8mG3D7escGxv+td458jUK =BwvQ -----END PGP SIGNATURE-----