You could use multiple PAT addresses to find the source of information
for the attacker and to reduce the impact by filtering/QOS.
TCP connections PAT IP1 (block UDP before going to the 1G line)
UDP connections PAT IP2
webservers connecting to api hosts - PAT IP3
webservers remaining connections
1. Move the website to DDoS-resistant reverse proxy like Cloudflare or
Incapsula, using its current IP address; won't make much of a difference as
attacker will go back to attacking the last known IP address.
2. Change the site IP address and only update it at the reverse proxy
provider, not at any
You haven't indicated what the actual inbound attack volume is. If it's
something your network core can handle, you can block the attack fingerprint
upstream so it does not reach the 1Gb link. If it's UDP amplification
chances are you can create a firewall rule.
-PK
;> To: "nanog list"
>> Sent: Monday, February 8, 2016 6:14:06 PM
>> Subject: UDP Amplification DDoS - Help!
>
>> Hello,
>>
>> Hoping someone can point me in the right direction here, even just
>> confirming my
>> suspicions would be incredibly help
Hi Mitch.
My colleagues in the US dealt with something like this and I have dealt with
something similar to this in Australia.
Does your customer happen to be a school district?
In our cases it turned out to be students buying Ddos as a service and
targeting the address which comes up when they
On 9 Feb 2016, at 6:14, Mitch Dyer wrote:
I'm hoping someone with some experience on this topic would be able to
shed some light on a better way to attack this or would be willing to
confirm that we are simply SOL without prolonged assistance from the
upstream carrier.
Take a look at this .p
rnet & Telecom
- Original Message -
> From: "Mitch Dyer"
> To: "nanog list"
> Sent: Monday, February 8, 2016 6:14:06 PM
> Subject: UDP Amplification DDoS - Help!
> Hello,
>
> Hoping someone can point me in the right direction here, even just confirmi
On 9 Feb 2016, at 9:50, mike.l...@gmail.com wrote:
Sounds like there is a compromised host downstream of the 1G that is
reporting back it's source IP and that is why changing the IP doesn't
help.
It's much more likely that the attacker is just following the DNS
changes.
---
Oodles of devices downstream of the 1G? Does the 1G terminate into a router or
firewall?
Sounds like there is a compromised host downstream of the 1G that is reporting
back it's source IP and that is why changing the IP doesn't help.
If you look at the PAT table, any oddities?
Good luck!
-Mik
Hello,
Hoping someone can point me in the right direction here, even just confirming
my suspicions would be incredibly helpful.
A little bit of background: I have a customer I'm working with that is
downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily
basis. Through s
10 matches
Mail list logo
