use a CDN provider or AWS ELBs or something to absorb the attacks?
On Mon, Feb 8, 2016 at 9:55 PM, Faisal Imtiaz <fai...@snappytelecom.net> wrote: > Not quite sure what kind of info / confirmation you are looking for... > > There are lots of articles (do a google search) on this topic as well as > mitigation ... > > e.g. > > http://blog.nexusguard.com/ssdp-ddos-attacks/ > > & > https://tools.ietf.org/html/bcp38 > > Regards > > Faisal Imtiaz > Snappy Internet & Telecom > > ----- Original Message ----- >> From: "Mitch Dyer" <md...@development-group.net> >> To: "nanog list" <nanog@nanog.org> >> Sent: Monday, February 8, 2016 6:14:06 PM >> Subject: UDP Amplification DDoS - Help! > >> Hello, >> >> Hoping someone can point me in the right direction here, even just >> confirming my >> suspicions would be incredibly helpful. >> >> A little bit of background: I have a customer I'm working with that is >> downstream of a 1Gb link that is experiencing multiple DDoS attacks on a >> daily >> basis. Through several captures I've seen what appear to be a mixture of SSDP >> and DNS amplification attacks (though not at the same time). The attack >> itself >> seems to target the PAT address associated with a specific site, if we change >> the PAT address for the site, the attack targets the new address at the next >> occurance. We've tried setting up captures and logging inside the network to >> determine if the SSDP/DNS request originate within the network but that does >> not appear to be the case. >> >> We've reached out for some assistance from the upstream carrier but they've >> only >> been able to enforce a 24-hour block. >> >> I'm hoping someone with some experience on this topic would be able to shed >> some >> light on a better way to attack this or would be willing to confirm that we >> are >> simply SOL without prolonged assistance from the upstream carrier. >> >> Thanks in advance for any insight. >> >> Mitch
