I'm going to take a guess that ahmed is: AS | BGP IPv4 Prefix | AS Name 198735 | 185.51.220.0/22 | HRINS-AS, IQ 198735 | 185.51.220.0/24 | HRINS-AS, IQ 198735 | 185.51.221.0/24 | HRINS-AS, IQ 198735 | 185.51.222.0/24 | HRINS-AS, IQ 198735 | 185.51.223.0/24 | HRINS-AS, IQ 198735 | 217.145.228.0/22 | HRINS-AS, IQ 198735 | 217.145.228.0/24 | HRINS-AS, IQ 198735 | 217.145.229.0/24 | HRINS-AS, IQ 198735 | 217.145.230.0/24 | HRINS-AS, IQ 198735 | 217.145.231.0/24 | HRINS-AS, IQ 198735 | 5.1.104.0/21 | HRINS-AS, IQ 198735 | 5.1.104.0/24 | HRINS-AS, IQ 198735 | 5.1.105.0/24 | HRINS-AS, IQ 198735 | 5.1.106.0/24 | HRINS-AS, IQ 198735 | 5.1.107.0/24 | HRINS-AS, IQ 198735 | 5.1.108.0/24 | HRINS-AS, IQ 198735 | 5.1.109.0/24 | HRINS-AS, IQ 198735 | 5.1.110.0/24 | HRINS-AS, IQ 198735 | 5.1.111.0/24 | HRINS-AS, IQ
and that their upstream is: 41032 | 62.201.210.181 | IQNETWORKS, IQ and that ideally IQnetworks can block this traffic for them... On Mon, Dec 9, 2019 at 3:17 PM Mel Beckman <m...@beckman.org> wrote: > > For short term relief, you might consider asking your upstream provider to > block the unused IPs in your network that are being attacked. It may not get > everything, but it could drop the volume considerably. Just be sure that the > provider blocks them silently, without sending “no route to host” ICMP back > to the hacker. That way the hacker won’t know that you’ve done anything and > reshape his attack. > > -mel > > > On Dec 9, 2019, at 12:11 PM, Christopher Morrow <morrowc.li...@gmail.com> > > wrote: > > > > I'd note that: "what prefixes?" isn't answered here... like: "what is > > the thing on your network which is being attacked?" > > > > On Mon, Dec 9, 2019 at 3:08 PM ahmed.dala...@hrins.net > > <ahmed.dala...@hrins.net> wrote: > >> > >> Dear All, > >> > >> My network is being flooded with UDP packets, Denial of Service attack, > >> soucing from Cloud flare and Google IP Addresses, with 200-300 mbps > >> minimum traffic, the destination in my network are IP prefixes that is > >> currnetly not used but still getting traffic with high volume. > >> The traffic is being generated with high intervals between 10-30 Minutes > >> for each time, maxing to 800 mbps > >> When reached out cloudflare support, they mentioned that there services > >> are running on Nat so they can’t pin out which server is attacking based > >> on ip address alone, as a single IP has more than 5000 server behind it, > >> providing 1 source IP and UDP source port, didn’t help either > >> Any suggestions? > >> > >> Regards, > >> Ahmed Dala Ali >