Re: DOS attack assistance?

[Jay Coley <j () jcoley net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Pete Templin wrote:
> One of my customers, a host at 64.8.105.15, is feeling a "bonus"
> ~130kpps from 88.191.63.28.  I've null-routed the source, though our
> Engine2 GE cards don't seem to be doing a proper job of that,
> unfortunately.  The attack is a solid 300% more pps than our aggregate
> traffic levels.
>
> It's coming in via 6461, but they don't appear to have any ability to
> backtrack it.  Their only offer is to blackhole the destination until
> the attack subsides.  BGP tells me the source is in AS 12322, a RIPE AS
> that has little if any information publicly visible.
>
> Any pointers on what to do next?


If it's all coming from that single IP 88.191.63.28, just request that
your upstream block it.  Usually if you explain the situation to them
they'll oblige.

Otherwise you'll want to look at mitigation gear (Toplayer, Cisco, etc)
there are loads out there or you can look into a DDoS mitigation service.

The Contacts I can see for that ASN are

 role:           Technical Contact for ProXad
address:        Free SAS / ProXad
address:        8, rue de la Ville L'Eveque
address:        75008 Paris
phone:          +33 1 73 50 20 00
fax-no:         +33 1 73 92 25 69
remarks:        trouble:      Information: http://www.proxad.net/
remarks:        trouble:      Spam/Abuse requests: mailto:abuse () proxad net
admin-c:        RA999-RIPE
tech-c:         FG4214-RIPE
nic-hdl:        TCP8-RIPE
mnt-by:         PROXAD-MNT
source:         RIPE # Filtered
abuse-mailbox:  abuse () proxad net


Hope that helps!

- --J

        

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkktKf8ACgkQETh+0NgvOtF+IgCdFE4TD885Ot9d97b+Dhenmrn8
oVYAniR3qua8mG3D7escGxv+td458jUK
=BwvQ
-----END PGP SIGNATURE-----