nanog mailing list archives
Re: DDoS attack
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Mon, 9 Dec 2019 16:15:37 -0500
On Mon, Dec 9, 2019 at 4:08 PM Michael Sherlock <michael.sherlock () hrins net> wrote:
You asked what is being attacked IP addresses that are currently not assigned to end users And ip addresses assigned to end users End user= Home broadband customers We are not hosting any significant servers
I'm being unclear or you are being overly pedantic.. neither is helping. "what ip address can I look in netflow for traffic destined to which is part of this attack?" Anyone trying to help you is going to want to know what destination address in your network is receiving this traffic... not providing same after ~15 emails is going to make your situation not get better. I'd suggest you post the addresses to the list though... so other folk can go looking as well.
Regards, Michael Sherlock Mobile: +44 75070 92392 Sent from my iPhoneOn Dec 9, 2019, at 9:04 PM, Christopher Morrow <morrowc.lists () gmail com> wrote: On Mon, Dec 9, 2019 at 3:42 PM Michael Sherlock <michael.sherlock () hrins net> wrote:Cristopher, Ip addresses that are not currently in use, and IP addresses that is currently used for CGNAT for end usersI'm 100% sure that those words mean something to you.. but not operating your network they don't mean anything to me.Regards, Michael Sherlock Mobile: +44 75070 92392 Sent from my iPhone On Dec 9, 2019, at 8:36 PM, "ahmed.dalaali () hrins net" <ahmed.dalaali () hrins net> wrote: Begin forwarded message: From: Christopher Morrow <morrowc.lists () gmail com> Subject: Re: DDoS attack Date: December 9, 2019 at 11:11:31 PM GMT+3 To: "ahmed.dalaali () hrins net" <ahmed.dalaali () hrins net> Cc: nanog list <nanog () nanog org> I'd note that: "what prefixes?" isn't answered here... like: "what is the thing on your network which is being attacked?" On Mon, Dec 9, 2019 at 3:08 PM ahmed.dalaali () hrins net <ahmed.dalaali () hrins net> wrote: Dear All, My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume. The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either Any suggestions? Regards, Ahmed Dala Ali
Current thread:
- Re: DDoS attack, (continued)
- Re: DDoS attack Töma Gavrichenkov (Dec 10)
- Re: DDoS attack Jean | ddostest.me via NANOG (Dec 09)
- Re: DDoS attack Randy Bush (Dec 09)
- Re: DDoS attack william manning (Dec 09)
- RE: DDoS attack Paul Amaral via NANOG (Dec 10)
- RE: DDoS attack Aaron Gould (Dec 10)
- Re: DDoS attack Saku Ytti (Dec 10)
- RE: [EXTERNAL] RE: DDoS attack Nikos Leontsinis (Dec 10)
- RE: [EXTERNAL] RE: DDoS attack Paul Amaral via NANOG (Dec 10)
- RE: DDoS attack Aaron Gould (Dec 10)
- Re: DDoS attack Christopher Morrow (Dec 09)
- Message not available
- Re: DDoS attack Christopher Morrow (Dec 09)
- Message not available