RE: DDoS attack

[Paul Amaral via NANOG <nanog () nanog org>]

Normally these attacks are spoofed IPs, usually amplification attacks based on UDP using DNS/LDAP etc. This is 
something that is common and usually is towards schools, financial institutions. This an easy attack to orchestrate by 
anyone, most of these attacks can be launch via stresser services online. 800mbs to most smaller ISPs is a lot of 
traffic and can deeply impact not only the victim prefix but other non-targeted customers, as traffic consumed by the 
attack will cause problems for all users on that circuit.

There's a few things you can do, ask your upstream provider to rate limit UDP packets towards you. Rate limit them to 
what you think a normal UDP rate should be. I don’t recommend blocking UDP as you will block legit UDP packets from 
reaching any of your customer when the attack is not ongoing. Note most larger providers will not help or care to help, 
I know Comcast probably will not help you, their support techs will have no idea what you are taking about neither will 
most entry level engineers. However, it's worth taking a shot and asking you upstream provider. 

Another way you can minimize this is if you are multi-hommed with BGP. In this case take the targeted prefix and 
advertise to be preferred through one of your upstreams and move all over prefixes to the other link. This will ensure 
that most of your customers will not be impacted during the DDOS. Once you have the victim prefix preferred on that 
specific BGP link then you can rate limit on your edge, or the provider can do this for you. You will still have the 
full force of the attack at the edge unless you can get one of your providers to help you out. With DDOS you can only 
mitigate it and not necessarily stop it.  Someone will always get that DDOS traffic. rather is your, your provider or 
your customers. The problem is figuring out where you want the traffic to be rate-limited, stopped etc and that who's 
expense. 

BTW those stresser services are usually free for a set about 0-15 min than you must pay thus why its not ongoing. 


Good luck, 

Paul 



-----Original Message-----
From: NANOG <nanog-bounces () nanog org> On Behalf Of ahmed.dalaali () hrins net
Sent: Monday, December 09, 2019 3:08 PM
To: nanog () nanog org
Subject: DDoS attack 

Dear All, 

My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP 
Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used 
but still getting traffic with high volume.
The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps When reached 
out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is 
attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP 
source port, didn’t help either Any suggestions?

Regards,
Ahmed Dala Ali