Jon Morby wrote:
> One of our clients has been suffering from a DDoS for the last 2-3
> weeks, it gets occasionally worse and then drops down to more
> manageable levels ...
>
> Last Sunday, then Yesterday (Sunday again) and then again today at
> 18:00 we saw massive spikes which are flooding all of our external
> connectivity (6 x GE ports) bringing massive packet loss / etc
>
> If we turn the customer's IP address off, traffic subsides .... no
> need to even black hole the route ..
>
> This is a small snapshot of what we're seeing on the web server
>
> 19:06:02.150681 00:19:56:65:3f:46 > 00:25:90:33:02:5c, ethertype IPv4
> (0x0800), length 1514: (tos 0x0, ttl 52, id 56948, offset 0, flags
> [+], proto: UDP (17), length: 1500) 208.74.148.200.52004 >
> 93.188.179.122.733: UDP, length 8192
> 19:06:02.150803 00:19:56:65:3f:46 > 00:25:90:33:02:5c, ethertype IPv4
> (0x0800), length 1514: (tos 0x0, ttl 123, id 7894, offset 1480, flags
> [+], proto: UDP (17), length: 1500) 89.151.91.15 > 93.188.179.122: udp
> 19:06:02.150928 00:19:56:65:3f:46 > 00:25:90:33:02:5c, ethertype IPv4
> (0x0800), length 1514: (tos 0x0, ttl 48, id 3381, offset 5920, flags
> [+], proto: UDP (17), length: 1500) 64.191.106.72 > 93.188.179.122: udp
> 19:06:02.151171 00:19:56:65:3f:46 > 00:25:90:33:02:5c, ethertype IPv4
> (0x0800), length 1514: (tos 0x0, ttl 50, id 29202, offset 4440, flags
> [+], proto: UDP (17), length: 1500) 70.39.109.34 > 93.188.179.122: udp
> 19:06:02.151174 00:19:56:65:3f:46 > 00:25:90:33:02:5c, ethertype IPv4
> (0x0800), length 1514: (tos 0x0, ttl 123, id 7894, offset 5920, flags
> [+], proto: UDP (17), length: 1500) 89.151.91.15 > 93.188.179.122: udp
>
>
> but we're seeing a _lot_ of this traffic
>
> apart from a) giving in and turning the customer off, or b) paying
> Prolexic more than the site grosses in a year .. any ideas?
>
> Its all UDP so I can't see how a tarpit would help ...
>
> I have a flow setup on our Junipers (BGP speakers at the borders)
> which is set to discard the traffic, but that isn't helping much
> either .. as soon as I ifup the interface alias on their server we
> start to see Gbps of traffic flooding our external links again :(
>
> Filter: __flowspec_default_inet__
> Counters:
> Name Bytes
> Packets
> 93.188.179.112/28,*,proto=17,port=17
> 3675692 2487
>
>
>
> jon@hex-gw1> show configuration routing-options flow
> route client-attack {
> match {
> destination 93.188.179.112/28;
> protocol udp;
> port 17;
> }
> then discard;
> }
>
>
> Anyone have any ideas? I'm about ready to tell the client to go
> elsewhere .. but would really rather not, and how do we address this
> the next time it happens (give all of our customers away ??)
>
> Jon
>
>
>
>
Ask your upstreams to put in the filters as well. That way you can have
a closer look at what is causing/starting the attack (probably a single
IP looking up the website...)
As a matter of interest the issue is usually related to something
specific (ie a webpage someone is not happy with, a comment on a blog,
an IRC server etc..) ... what is running on it, can you disclose?
Michelle
--
Vulnerabilities are weaknesses associated with an organisations assets that
maybe exploited by a threat causing unwanted incidents.
http://www.mhix.org/
