Not quite sure what kind of info / confirmation you are looking for... There are lots of articles (do a google search) on this topic as well as mitigation ...
e.g. http://blog.nexusguard.com/ssdp-ddos-attacks/ & https://tools.ietf.org/html/bcp38 Regards Faisal Imtiaz Snappy Internet & Telecom ----- Original Message ----- > From: "Mitch Dyer" <md...@development-group.net> > To: "nanog list" <nanog@nanog.org> > Sent: Monday, February 8, 2016 6:14:06 PM > Subject: UDP Amplification DDoS - Help! > Hello, > > Hoping someone can point me in the right direction here, even just confirming > my > suspicions would be incredibly helpful. > > A little bit of background: I have a customer I'm working with that is > downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily > basis. Through several captures I've seen what appear to be a mixture of SSDP > and DNS amplification attacks (though not at the same time). The attack itself > seems to target the PAT address associated with a specific site, if we change > the PAT address for the site, the attack targets the new address at the next > occurance. We've tried setting up captures and logging inside the network to > determine if the SSDP/DNS request originate within the network but that does > not appear to be the case. > > We've reached out for some assistance from the upstream carrier but they've > only > been able to enforce a 24-hour block. > > I'm hoping someone with some experience on this topic would be able to shed > some > light on a better way to attack this or would be willing to confirm that we > are > simply SOL without prolonged assistance from the upstream carrier. > > Thanks in advance for any insight. > > Mitch