You could use multiple PAT addresses to find the source of information for the attacker and to reduce the impact by filtering/QOS.
TCP connections PAT IP1 (block UDP before going to the 1G line) UDP connections PAT IP2 webservers connecting to api hosts - PAT IP3 webservers remaining connections - PAT IP4 Karsten 2016-02-09 0:14 GMT+01:00 Mitch Dyer <md...@development-group.net>: > Hello, > > Hoping someone can point me in the right direction here, even just confirming > my suspicions would be incredibly helpful. > > A little bit of background: I have a customer I'm working with that is > downstream of a 1Gb link that is experiencing multiple DDoS attacks on a > daily basis. Through several captures I've seen what appear to be a mixture > of SSDP and DNS amplification attacks (though not at the same time). The > attack itself seems to target the PAT address associated with a specific > site, if we change the PAT address for the site, the attack targets the new > address at the next occurance. We've tried setting up captures and logging > inside the network to determine if the SSDP/DNS request originate within the > network but that does not appear to be the case. > > We've reached out for some assistance from the upstream carrier but they've > only been able to enforce a 24-hour block. > > I'm hoping someone with some experience on this topic would be able to shed > some light on a better way to attack this or would be willing to confirm that > we are simply SOL without prolonged assistance from the upstream carrier. > > Thanks in advance for any insight. > > Mitch >
