Re: UDP Amplification DDoS - Help!

[Karsten Elfenbein <karsten.elfenbein () gmail com>]

You could use multiple PAT addresses to find the source of information
for the attacker and to reduce the impact by filtering/QOS.

TCP connections PAT IP1 (block UDP before going to the 1G line)
UDP connections PAT IP2

webservers connecting to api hosts - PAT IP3
webservers remaining connections - PAT IP4


Karsten


2016-02-09 0:14 GMT+01:00 Mitch Dyer <mdyer () development-group net>:
> Hello,
>
> Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly 
> helpful.
>
> A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing 
> multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and 
> DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated 
> with a specific site, if we change the PAT address for the site, the attack targets the new address at the next 
> occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request 
> originate within the network but that does not appear to be the case.
>
> We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block.
>
> I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this 
> or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier.
>
> Thanks in advance for any insight.
>
> Mitch