[uknof] DDoS help

Mon, 09 May 2011 12:10:17 -0700

One of our clients has been suffering from a DDoS for the last 2-3 weeks, it gets occasionally worse and then drops down to more manageable levels ...
Last Sunday, then Yesterday (Sunday again) and then again today at 18:00 we saw massive spikes which are flooding all of our external connectivity (6 x GE ports) bringing massive packet loss / etc 


If we turn the customer's IP address off, traffic subsides .... no need 
to even black hole the route ..


This is a small snapshot of what we're seeing on the web server


19:06:02.150681 00:19:56:65:3f:46 > 00:25:90:33:02:5c, ethertype IPv4 
(0x0800), length 1514: (tos 0x0, ttl  52, id 56948, offset 0, flags [+], 
proto: UDP (17), length: 1500) 208.74.148.200.52004 > 
93.188.179.122.733: UDP, length 8192
19:06:02.150803 00:19:56:65:3f:46 > 00:25:90:33:02:5c, ethertype IPv4 
(0x0800), length 1514: (tos 0x0, ttl 123, id 7894, offset 1480, flags 
[+], proto: UDP (17), length: 1500) 89.151.91.15 > 93.188.179.122: udp
19:06:02.150928 00:19:56:65:3f:46 > 00:25:90:33:02:5c, ethertype IPv4 
(0x0800), length 1514: (tos 0x0, ttl  48, id 3381, offset 5920, flags 
[+], proto: UDP (17), length: 1500) 64.191.106.72 > 93.188.179.122: udp
19:06:02.151171 00:19:56:65:3f:46 > 00:25:90:33:02:5c, ethertype IPv4 
(0x0800), length 1514: (tos 0x0, ttl  50, id 29202, offset 4440, flags 
[+], proto: UDP (17), length: 1500) 70.39.109.34 > 93.188.179.122: udp
19:06:02.151174 00:19:56:65:3f:46 > 00:25:90:33:02:5c, ethertype IPv4 
(0x0800), length 1514: (tos 0x0, ttl 123, id 7894, offset 5920, flags 
[+], proto: UDP (17), length: 1500) 89.151.91.15 > 93.188.179.122: udp



but we're seeing a _lot_ of this traffic


apart from a) giving in and turning the customer off, or b) paying 
Prolexic more than the site grosses in a year .. any ideas?


Its all UDP so I can't see how a tarpit would help ...


I have a flow setup on our Junipers (BGP speakers at the borders) which 
is set to discard the traffic, but that isn't helping much either .. as 
soon as I ifup the interface alias on their server we start to see Gbps 
of traffic flooding our external links again :(


Filter: __flowspec_default_inet__
Counters:

Name                                                Bytes              
Packets
93.188.179.112/28,*,proto=17,port=17              
3675692                 2487




jon@hex-gw1> show configuration routing-options flow
route client-attack {
    match {
        destination 93.188.179.112/28;
        protocol udp;
        port 17;
    }
    then discard;
}



Anyone have any ideas?  I'm about ready to tell the client to go 
elsewhere .. but would really rather not, and how do we address this the 
next time it happens (give all of our customers away ??)


Jon


























					Reply via email to