Just following up with a bit more info. While I have no way of knowing whether these IPs are the true source, and there's likely more that I didn't capture in the short windows where the router was up and exporting netflow data, this is what I have. If anyone here is in charge of the following blocks, perhaps you might want to have a look: 208.39.142 (comcast, business cable) 216.235.244 (e-xpedient) 218.244.162 (chinacom) 218.247.37 (china network connect) 61.48.80 (china network communications group) 62.231.65 (romania data systems) Actually, looking at those sources, I'm betting they're not spoofed. :) Thanks, Charles -- Charles Sprickman spork@inch.com On Sat, 19 Jun 2004, Charles Sprickman wrote:
Howdy,
Is there any place where people with experience dealing with DDoS attacks hang out? I'm getting very little assistance from my upstream beyond "call whomever is in charge of each IP attacking and make them stop", and "even though we null route the destination IP being attacked, this traffic will be billed".