Dear All, My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions? Regards, Ahmed Dala Ali
I'd note that: "what prefixes?" isn't answered here... like: "what is the thing on your network which is being attacked?" On Mon, Dec 9, 2019 at 3:08 PM ahmed.dalaali@hrins.net <ahmed.dalaali@hrins.net> wrote:
Dear All,
My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions?
Regards, Ahmed Dala Ali
This is lame. They should be able to view NAT translation tables or better yet have some method of watching flows. Tim On 12/9/19 12:11 PM, Christopher Morrow wrote:
I'd note that: "what prefixes?" isn't answered here... like: "what is the thing on your network which is being attacked?"
On Mon, Dec 9, 2019 at 3:08 PM ahmed.dalaali@hrins.net <ahmed.dalaali@hrins.net> wrote:
Dear All,
My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions?
Regards, Ahmed Dala Ali
<snarky remark> BCP38 <more snarky remarks> After all this time and knowledge why people still think <source ip> are legit evidence in DDoS instances... ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 2019-12-09 15:15, Tim Požár wrote:
This is lame. They should be able to view NAT translation tables or better yet have some method of watching flows.
Tim
On 12/9/19 12:11 PM, Christopher Morrow wrote:
I'd note that: "what prefixes?" isn't answered here... like: "what is the thing on your network which is being attacked?"
On Mon, Dec 9, 2019 at 3:08 PM ahmed.dalaali@hrins.net <ahmed.dalaali@hrins.net> wrote:
Dear All,
My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions?
Regards, Ahmed Dala Ali
For short term relief, you might consider asking your upstream provider to block the unused IPs in your network that are being attacked. It may not get everything, but it could drop the volume considerably. Just be sure that the provider blocks them silently, without sending “no route to host” ICMP back to the hacker. That way the hacker won’t know that you’ve done anything and reshape his attack. -mel
On Dec 9, 2019, at 12:11 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
I'd note that: "what prefixes?" isn't answered here... like: "what is the thing on your network which is being attacked?"
On Mon, Dec 9, 2019 at 3:08 PM ahmed.dalaali@hrins.net <ahmed.dalaali@hrins.net> wrote:
Dear All,
My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions?
Regards, Ahmed Dala Ali
I'm going to take a guess that ahmed is: AS | BGP IPv4 Prefix | AS Name 198735 | 185.51.220.0/22 | HRINS-AS, IQ 198735 | 185.51.220.0/24 | HRINS-AS, IQ 198735 | 185.51.221.0/24 | HRINS-AS, IQ 198735 | 185.51.222.0/24 | HRINS-AS, IQ 198735 | 185.51.223.0/24 | HRINS-AS, IQ 198735 | 217.145.228.0/22 | HRINS-AS, IQ 198735 | 217.145.228.0/24 | HRINS-AS, IQ 198735 | 217.145.229.0/24 | HRINS-AS, IQ 198735 | 217.145.230.0/24 | HRINS-AS, IQ 198735 | 217.145.231.0/24 | HRINS-AS, IQ 198735 | 5.1.104.0/21 | HRINS-AS, IQ 198735 | 5.1.104.0/24 | HRINS-AS, IQ 198735 | 5.1.105.0/24 | HRINS-AS, IQ 198735 | 5.1.106.0/24 | HRINS-AS, IQ 198735 | 5.1.107.0/24 | HRINS-AS, IQ 198735 | 5.1.108.0/24 | HRINS-AS, IQ 198735 | 5.1.109.0/24 | HRINS-AS, IQ 198735 | 5.1.110.0/24 | HRINS-AS, IQ 198735 | 5.1.111.0/24 | HRINS-AS, IQ and that their upstream is: 41032 | 62.201.210.181 | IQNETWORKS, IQ and that ideally IQnetworks can block this traffic for them... On Mon, Dec 9, 2019 at 3:17 PM Mel Beckman <mel@beckman.org> wrote:
For short term relief, you might consider asking your upstream provider to block the unused IPs in your network that are being attacked. It may not get everything, but it could drop the volume considerably. Just be sure that the provider blocks them silently, without sending “no route to host” ICMP back to the hacker. That way the hacker won’t know that you’ve done anything and reshape his attack.
-mel
On Dec 9, 2019, at 12:11 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
I'd note that: "what prefixes?" isn't answered here... like: "what is the thing on your network which is being attacked?"
On Mon, Dec 9, 2019 at 3:08 PM ahmed.dalaali@hrins.net <ahmed.dalaali@hrins.net> wrote:
Dear All,
My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions?
Regards, Ahmed Dala Ali
Hello, which attack protocol are seeing? I suspect you're seeing DNS based amplification or similar, in which case you can't really pinpoint the attack source... 800Mbps is not a whole lot of traffic - does it cause any disruptions to you? If the prefixes are not in use, I would suggest the use of RTBH (null routing / blackholing) Kind Regards, Filip Hruska On 9 December 2019 9:07:35 pm GMT+01:00, "ahmed.dalaali@hrins.net" <ahmed.dalaali@hrins.net> wrote:
Dear All,
My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions?
Regards, Ahmed Dala Ali
-- Sent from my mobile device. Please excuse my brevity.
An additional 800 Mbps would severely constrain if not topple dozens if not hundreds of ISPs I know. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Filip Hruska" <fhr@fhrnet.eu> To: nanog@nanog.org Sent: Monday, December 9, 2019 2:15:39 PM Subject: Re: DDoS attack Hello, which attack protocol are seeing? I suspect you're seeing DNS based amplification or similar, in which case you can't really pinpoint the attack source... 800Mbps is not a whole lot of traffic - does it cause any disruptions to you? If the prefixes are not in use, I would suggest the use of RTBH (null routing / blackholing) Kind Regards, Filip Hruska On 9 December 2019 9:07:35 pm GMT+01:00, "ahmed.dalaali@hrins.net" <ahmed.dalaali@hrins.net> wrote: Dear All, My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions? Regards, Ahmed Dala Ali -- Sent from my mobile device. Please excuse my brevity.
Hello, you're forgetting if that was to be amplification, the source addresses would not be within Google or CloudFlare ranges (especially not CloudFlare, as they are not running a vulnerable recursor, and merely authoritative nameservers), the only possibility would be Google as in Google Cloud, with clueless people running open recursors that are prone to DNS(-SEC) reflection. It would pretty much be beyond the point using authoritative servers of parties such as CloudFlare as a) the scope of replies you will get is limited, b) they will high likely take a close look at your (forged) DNS queries and c) they will most certainly have limits in place defeating the entire point. In any regard, <1 Gbps is pretty piss poor for an amplification attack too. Cheers. On 9 Dec 2019, 9:17 PM +0100, Filip Hruska <fhr@fhrnet.eu>, wrote:
Hello,
which attack protocol are seeing? I suspect you're seeing DNS based amplification or similar, in which case you can't really pinpoint the attack source...
800Mbps is not a whole lot of traffic - does it cause any disruptions to you? If the prefixes are not in use, I would suggest the use of RTBH (null routing / blackholing)
Kind Regards, Filip Hruska
On 9 December 2019 9:07:35 pm GMT+01:00, "ahmed.dalaali@hrins.net" <ahmed.dalaali@hrins.net> wrote:
Dear All,
My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions?
Regards, Ahmed Dala Ali
-- Sent from my mobile device. Please excuse my brevity.
In any regard, <1 Gbps is pretty piss poor for an amplification attack too.
We've observed a customer receiving relative low volume attacks in the last week (so low they didn't trigger our alarms). My working theory is that with the Dec 3rd release of Halo Reach for PC, there are gamers attempting to lag, but not knock off, their opponents. This would be one reason to target adjacent unused addresses.
Peace, On Tue, Dec 10, 2019, 12:08 AM Mike Lewinski <mlewinski@massivenetworks.com> wrote:
My working theory is that with the Dec 3rd release of Halo Reach for PC, there are gamers attempting to lag, but not knock off, their opponents. This would be one reason to target adjacent unused addresses.
+1 Either this, or something resembling that, happens all the time. -- Töma
On 12/9/19 3:32 PM, Florian Brandstetter via NANOG wrote:
In any regard, <1 Gbps is pretty piss poor for an amplification attack too.
But, as others have pointed out, plenty to knock a single subscriber, shared access link (DOCSIS, wireless, or even well loaded GPON), or even a small regional PoP down. Plenty of opportunity for mayhem even with just a couple 100Mbps which is trivial to come up with these days as the spread of consumer-accessible speeds keeps growing. Keeping it small makes it less likely to get noticed and, perhaps even more importantly for the perpetrator, harder for the networks responsible for the reflection/amplification to track down the problem using traffic analysis as well as coming in on the lower end of the "how much do I care?" part of the abuse team's line-up. -- Brandon Martin
Hi,
On 12/9/19 3:32 PM, Florian Brandstetter via NANOG wrote:
"how much do I care?" part of the abuse team's line-up.
If people cared, they would have anti-spoofing filters in place. Most on this list will agree that amplification attacks can be mitigated or at least severely reduced by anti-spoofing filters on the networks of the attackers. Thanks, Sabri
Peace, On Mon, Dec 9, 2019 at 11:35 PM Florian Brandstetter via NANOG <nanog@nanog.org> wrote:
if that was to be amplification, the source addresses would not be within Google or CloudFlare ranges (especially not CloudFlare, as they are not running a vulnerable recursor
Well, vulnerable — arguably of course, amplifying — yes, a few, around twenty. Not sure if they have any kind of rate limiting there (also not sure if it's legal for me to check it), expecially given that the queries could come from spoofed sources. Anyway, in theory, their sources *could* be present in a DDoS (though not likely). 12:11:23.726699 IP (tos 0x0, ttl 64, id 9173, offset 0, flags [none], proto UDP (17), length 60) $IP.60801 > 172.65.253.110.53: 45631+ [1au] ANY? com. (32) 12:11:23.733976 IP (tos 0x0, ttl 60, id 30234, offset 0, flags [+], proto UDP (17), length 1500) 172.65.253.110.53 > $IP.60801: 45631$ 22/0/1 com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1576020207 1800 900 604800 86400, com. RRSIG, com. NS a.gtld-servers.net., com. NS b.gtld-servers.net., com. NS c.gtld-servers.net., com. NS e.gtld-servers.net., com. NS i.gtld-servers.net., com. NS j.gtld-servers.net., com. NS g.gtld-servers.net., com. NS f.gtld-servers.net., com. NS l.gtld-servers.net., com. NS d.gtld-servers.net., com. NS k.gtld-servers.net., com. NS h.gtld-servers.net., com. NS m.gtld-servers.net., com. RRSIG, com. DNSKEY, com. DNSKEY, com. DNSKEY, com. RRSIG[|domain] -- Töma
On which UDP port? On 2019-12-09 15:07, ahmed.dalaali@hrins.net wrote:
Dear All,
My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions?
Regards, Ahmed Dala Ali
My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses
but, until nancy drew walks the attack back upstream step by step, you really do not know it's coming from clodflare or gobble.
the destination in my network are IP prefixes that is currnetly not used
them it should be pretty easy for your upstreams to filter without doing damage to goodput. randy
Normally these attacks are spoofed IPs, usually amplification attacks based on UDP using DNS/LDAP etc. This is something that is common and usually is towards schools, financial institutions. This an easy attack to orchestrate by anyone, most of these attacks can be launch via stresser services online. 800mbs to most smaller ISPs is a lot of traffic and can deeply impact not only the victim prefix but other non-targeted customers, as traffic consumed by the attack will cause problems for all users on that circuit. There's a few things you can do, ask your upstream provider to rate limit UDP packets towards you. Rate limit them to what you think a normal UDP rate should be. I don’t recommend blocking UDP as you will block legit UDP packets from reaching any of your customer when the attack is not ongoing. Note most larger providers will not help or care to help, I know Comcast probably will not help you, their support techs will have no idea what you are taking about neither will most entry level engineers. However, it's worth taking a shot and asking you upstream provider. Another way you can minimize this is if you are multi-hommed with BGP. In this case take the targeted prefix and advertise to be preferred through one of your upstreams and move all over prefixes to the other link. This will ensure that most of your customers will not be impacted during the DDOS. Once you have the victim prefix preferred on that specific BGP link then you can rate limit on your edge, or the provider can do this for you. You will still have the full force of the attack at the edge unless you can get one of your providers to help you out. With DDOS you can only mitigate it and not necessarily stop it. Someone will always get that DDOS traffic. rather is your, your provider or your customers. The problem is figuring out where you want the traffic to be rate-limited, stopped etc and that who's expense. BTW those stresser services are usually free for a set about 0-15 min than you must pay thus why its not ongoing. Good luck, Paul -----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of ahmed.dalaali@hrins.net Sent: Monday, December 09, 2019 3:08 PM To: nanog@nanog.org Subject: DDoS attack Dear All, My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions? Regards, Ahmed Dala Ali
Years ago, we looked at netflow data and precursors to attacks, and found that UDP 3074 Xbox Live was showing up just prior to the attacks...and through other research we concluded that gamers are a big cause of large ddos attacks.... apparently they go after each other in retaliation I've crafted a series of things for dealing with the results of volumetric ddos attacks... I've had attacks in upwards of 50 or 60 gig as I recall.... across all of my (3) internet connections at times - deny acl's ... for ports/protocols that I know are absolutely not needed - policers of various well known port attack vectors (gleaned from netflow data) - policers of well-known *good* ports/protocols (like ntp, dns, etc) to some realistic level - a repeat-victims list of ip's with policing udp for this group (note1) - rtbh (note2) Note 1 - Also, I've learned that if a customer has been attack once, the chances of them being the target of an attack again is high....so by crafting the repeat victims list, you can catch next-day attacks of differing vectors. Note 2 - for sustained attacks lasting a long time (30 mins, an hour, etc), we trigger a bgp/community route that goes out to the inet cloud and stops attack further into the upstream providers network... I know I "complete" the attack, but, I save my network ;) ...I use an old cisco 2600 as my trigger router and wrote a job aid that I shared with the NOC for triggering rtbh when needed, couple commands. ...I would like to automate my rtbh using what I understand is a possibly use case for FastNetMon, but haven't got around to it I also wonder if team cymru's utrs project and other things like that would benefit my security posture. -Aaron
On Tue, 10 Dec 2019 at 19:08, Aaron Gould <aaron1@gvtc.com> wrote:
- policers of well-known *good* ports/protocols (like ntp, dns, etc) to some realistic level
You might want to downpref these to a scavanger class, instead of police. Since ultimately policing makes it just easier to ddos the service, which is actually needed. -- ++ytti
You can get the bogon prefixes from Cymru and defend your network using them in combination with rpf The key with the attacks dos or ddos is to have proper telemetry (streaming telemetry not polling telemetry) and baselines without this information you run the danger of blocking good traffic. Based on the thread below I don't see any evidence of an attack only speculations. nikos -----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Aaron Gould Sent: Tuesday, December 10, 2019 5:05 PM To: 'Paul Amaral' <razor@meganet.net>; ahmed.dalaali@hrins.net; Nanog@nanog.org Subject: [EXTERNAL] RE: DDoS attack Years ago, we looked at netflow data and precursors to attacks, and found that UDP 3074 Xbox Live was showing up just prior to the attacks...and through other research we concluded that gamers are a big cause of large ddos attacks.... apparently they go after each other in retaliation I've crafted a series of things for dealing with the results of volumetric ddos attacks... I've had attacks in upwards of 50 or 60 gig as I recall.... across all of my (3) internet connections at times - deny acl's ... for ports/protocols that I know are absolutely not needed - policers of various well known port attack vectors (gleaned from netflow data) - policers of well-known *good* ports/protocols (like ntp, dns, etc) to some realistic level - a repeat-victims list of ip's with policing udp for this group (note1) - rtbh (note2) Note 1 - Also, I've learned that if a customer has been attack once, the chances of them being the target of an attack again is high....so by crafting the repeat victims list, you can catch next-day attacks of differing vectors. Note 2 - for sustained attacks lasting a long time (30 mins, an hour, etc), we trigger a bgp/community route that goes out to the inet cloud and stops attack further into the upstream providers network... I know I "complete" the attack, but, I save my network ;) ...I use an old cisco 2600 as my trigger router and wrote a job aid that I shared with the NOC for triggering rtbh when needed, couple commands. ...I would like to automate my rtbh using what I understand is a possibly use case for FastNetMon, but haven't got around to it I also wonder if team cymru's utrs project and other things like that would benefit my security posture. -Aaron This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
Rarely will sourced ips be the same every time a victim gets DDOS'd. Good telemetry is key but every time the attack happens it needs to be looked at. I find bogon prefixes are not as used much, especially amplification attacks. Gathering good intel and blocking bogons will help, but there is no one strategy that works. You also will always risk blocking some good traffic. Again, there's a reason why you can only mitigate and not stop a DDOS completely. Paul -----Original Message----- From: Nikos Leontsinis <Nikos.Leontsinis@eu.equinix.com> Sent: Tuesday, December 10, 2019 5:19 PM To: Aaron Gould <aaron1@gvtc.com>; 'Paul Amaral' <razor@meganet.net>; ahmed.dalaali@hrins.net; Nanog@nanog.org Subject: RE: [EXTERNAL] RE: DDoS attack You can get the bogon prefixes from Cymru and defend your network using them in combination with rpf The key with the attacks dos or ddos is to have proper telemetry (streaming telemetry not polling telemetry) and baselines without this information you run the danger of blocking good traffic. Based on the thread below I don't see any evidence of an attack only speculations. nikos -----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Aaron Gould Sent: Tuesday, December 10, 2019 5:05 PM To: 'Paul Amaral' <razor@meganet.net>; ahmed.dalaali@hrins.net; Nanog@nanog.org Subject: [EXTERNAL] RE: DDoS attack Years ago, we looked at netflow data and precursors to attacks, and found that UDP 3074 Xbox Live was showing up just prior to the attacks...and through other research we concluded that gamers are a big cause of large ddos attacks.... apparently they go after each other in retaliation I've crafted a series of things for dealing with the results of volumetric ddos attacks... I've had attacks in upwards of 50 or 60 gig as I recall.... across all of my (3) internet connections at times - deny acl's ... for ports/protocols that I know are absolutely not needed - policers of various well known port attack vectors (gleaned from netflow data) - policers of well-known *good* ports/protocols (like ntp, dns, etc) to some realistic level - a repeat-victims list of ip's with policing udp for this group (note1) - rtbh (note2) Note 1 - Also, I've learned that if a customer has been attack once, the chances of them being the target of an attack again is high....so by crafting the repeat victims list, you can catch next-day attacks of differing vectors. Note 2 - for sustained attacks lasting a long time (30 mins, an hour, etc), we trigger a bgp/community route that goes out to the inet cloud and stops attack further into the upstream providers network... I know I "complete" the attack, but, I save my network ;) ...I use an old cisco 2600 as my trigger router and wrote a job aid that I shared with the NOC for triggering rtbh when needed, couple commands. ...I would like to automate my rtbh using what I understand is a possibly use case for FastNetMon, but haven't got around to it I also wonder if team cymru's utrs project and other things like that would benefit my security posture. -Aaron This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
see also: https://en.wikipedia.org/wiki/Smurf_attack On Mon, Dec 9, 2019 at 12:09 PM ahmed.dalaali@hrins.net < ahmed.dalaali@hrins.net> wrote:
Dear All,
My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions?
Regards, Ahmed Dala Ali
participants (20)
-
Aaron Gould
-
ahmed.dalaali@hrins.net
-
Alain Hebert
-
Brandon Martin
-
Christopher Morrow
-
Filip Hruska
-
Florian Brandstetter
-
Jean | ddostest.me
-
Mark Tinka
-
Mel Beckman
-
Mike Hammett
-
Mike Lewinski
-
Nikos Leontsinis
-
Paul Amaral
-
Randy Bush
-
Sabri Berisha
-
Saku Ytti
-
Tim Požár
-
Töma Gavrichenkov
-
william manning