On Mon, Dec 9, 2019 at 3:42 PM Michael Sherlock <michael.sherlock@hrins.net> wrote:

Cristopher,

Ip addresses that are not currently in use, and IP addresses that is currently used for CGNAT for end users

I'm 100% sure that those words mean something to you.. but not operating your network they don't mean anything to me.

Regards,

Michael Sherlock Mobile: +44 75070 92392

Sent from my iPhone

On Dec 9, 2019, at 8:36 PM, "ahmed.dalaali@hrins.net" <ahmed.dalaali@hrins.net> wrote:



Begin forwarded message:

From: Christopher Morrow <morrowc.lists@gmail.com> Subject: Re: DDoS attack Date: December 9, 2019 at 11:11:31 PM GMT+3 To: "ahmed.dalaali@hrins.net" <ahmed.dalaali@hrins.net> Cc: nanog list <nanog@nanog.org>

I'd note that: "what prefixes?" isn't answered here... like: "what is the thing on your network which is being attacked?"

On Mon, Dec 9, 2019 at 3:08 PM ahmed.dalaali@hrins.net <ahmed.dalaali@hrins.net> wrote:

Dear All,

My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions?

Regards, Ahmed Dala Ali