On Mon, 9 May 2011, Jon Morby wrote:
One of our clients has been suffering from a DDoS for the last 2-3 weeks, it
gets occasionally worse and then drops down to more manageable levels ...
Just checked "show ip ca flow | in 93.188.179.122" on all of Jump's
routers shows no flows, so we're not contributing to the DDoS..
apart from a) giving in and turning the customer off, or b) paying Prolexic
more than the site grosses in a year .. any ideas?
A few...
1) Try to figure out which is the probe traffic which determines when your
customers site is up, and block that.
2) Figure out which of your peers is sending the DoS traffic, and contact
them to clean it up.
3) Contact your upstreams, and ask them to do traceback / blocking of the
specific traffic.
4) Get your customer to renumber - whatever is probing might just be set
to probe by IP address, rather than hostname, or have a long DNS cache, so
this may buy you time.
Good luck in any case...
Cheers
James
