Hi Mitch. My colleagues in the US dealt with something like this and I have dealt with something similar to this in Australia. Does your customer happen to be a school district? In our cases it turned out to be students buying Ddos as a service and targeting the address which comes up when they go to www.whatismyip.com<http://www.whatismyip.com>. So the attack would constantly change and follow the network when there was an IP block put in place at the upstream. In my opinion, there are a few options to this: 1)The best solution is to use a comprehensive cloud based Ddos mitigation solution. 2) Use a cgnat to dynamically map to different external addresses and change them dynamically when there is a Ddos, while putting he used addresses in a black hole. 3) Another could be to use an external proxy service where you proxy your outbound requests to. So they will eventually become the target. However this moves the problem elsewhere and still exposes you to Ddos if they know your Cpe address. 4) In combination with this, you can perform incident response check your logs, turn on authentication, so you know when users are browsing for whatismyip and Ddos attack services. Sent from my iPhone James Tin APJ Principle Enterprise Security Architect Akamai Technologies +61 466 961 555 Level 7, 76 Berry St, North Sydney Australia 2060 On 9 Feb 2016, at 13:27, Mitch Dyer <mdyer@development-group.net<mailto:mdyer@development-group.net>> wrote: Hello, Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly helpful. A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated with a specific site, if we change the PAT address for the site, the attack targets the new address at the next occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request originate within the network but that does not appear to be the case. We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block. I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier. Thanks in advance for any insight. Mitch