Normally these attacks are spoofed IPs, usually amplification attacks based on UDP using DNS/LDAP etc. This is something that is common and usually is towards schools, financial institutions. This an easy attack to orchestrate by anyone, most of these attacks can be launch via stresser services online. 800mbs to most smaller ISPs is a lot of traffic and can deeply impact not only the victim prefix but other non-targeted customers, as traffic consumed by the attack will cause problems for all users on that circuit.
There's a few things you can do, ask your upstream provider to rate limit UDP packets towards you. Rate limit them to what you think a normal UDP rate should be. I don’t recommend blocking UDP as you will block legit UDP packets from reaching any of your customer when the attack is not ongoing. Note most larger providers will not help or care to help, I know Comcast probably will not help you, their support techs will have no idea what you are taking about neither will most entry level engineers. However, it's worth taking a shot and asking you upstream provider. Another way you can minimize this is if you are multi-hommed with BGP. In this case take the targeted prefix and advertise to be preferred through one of your upstreams and move all over prefixes to the other link. This will ensure that most of your customers will not be impacted during the DDOS. Once you have the victim prefix preferred on that specific BGP link then you can rate limit on your edge, or the provider can do this for you. You will still have the full force of the attack at the edge unless you can get one of your providers to help you out. With DDOS you can only mitigate it and not necessarily stop it. Someone will always get that DDOS traffic. rather is your, your provider or your customers. The problem is figuring out where you want the traffic to be rate-limited, stopped etc and that who's expense. BTW those stresser services are usually free for a set about 0-15 min than you must pay thus why its not ongoing. Good luck, Paul -----Original Message----- From: NANOG <nanog-boun...@nanog.org> On Behalf Of ahmed.dala...@hrins.net Sent: Monday, December 09, 2019 3:08 PM To: nanog@nanog.org Subject: DDoS attack Dear All, My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions? Regards, Ahmed Dala Ali
