Hi all, In The Netherlands we observe large DDoS attacks targeting ISP’s for more then a week now. In the order of magnitude of 15-20 ISP’s are target one after the other. The target within an ISP’s is the infrastructure itself. Mainly the name servers, but also core routers.
Characteristics: * target: mainly namservers of an ISP * type: CLDAP and DNS amplification (UDP src port 389 and 53 and a lot of udp fragments, sometimes mistakenly seen as udp port 0) * size: between 50G - 260G * duration: witrh mitigation: 5 - 60 minutes; without mitigation: hours, I believe up to 6 hours, but maybe even longer It looks like the attacker is monitoring if succesful mitigation comes in place. Attack will be stopped in that case and the attacker will move to new target. This is my observation btw. What I like to know if this DDoS campaign is a Dutch thing or is international. We see also Belgium ISP’s attacked, but they also have presence in NL. Has someone observed a DDoS with these characteristics outside NL or BE? Best regards, Pim van Stam NBIP-NaWas
