nanog mailing list archives

Re: DDoS attack

From: Florian Brandstetter via NANOG <nanog () nanog org>
Date: Mon, 9 Dec 2019 21:32:01 +0100

Hello,

you're forgetting if that was to be amplification, the source addresses would not be within Google or CloudFlare ranges 
(especially not CloudFlare, as they are not running a vulnerable recursor, and merely authoritative nameservers), the 
only possibility would be Google as in Google Cloud, with clueless people running open recursors that are prone to 
DNS(-SEC) reflection. It would pretty much be beyond the point using authoritative servers of parties such as 
CloudFlare as a) the scope of replies you will get is limited, b) they will high likely take a close look at your 
(forged) DNS queries and c) they will most certainly have limits in place defeating the entire point.

In any regard, <1 Gbps is pretty piss poor for an amplification attack too.

Cheers.
On 9 Dec 2019, 9:17 PM +0100, Filip Hruska <fhr () fhrnet eu>, wrote:

Hello,

which attack protocol are seeing? I suspect you're seeing DNS based amplification or similar, in which case you can't 
really pinpoint the attack source...

800Mbps is not a whole lot of traffic - does it cause any disruptions to you? If the prefixes are not in use, I would 
suggest the use of RTBH (null routing / blackholing)

Kind Regards,
Filip Hruska

On 9 December 2019 9:07:35 pm GMT+01:00, "ahmed.dalaali () hrins net" <ahmed.dalaali () hrins net> wrote:

Dear All,

My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP 
Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not 
used but still getting traffic with high volume.
The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps
When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out 
which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, 
providing 1 source IP and UDP source port, didn’t help either
Any suggestions?

Regards,
Ahmed Dala Ali


--
Sent from my mobile device. Please excuse my brevity.

Current thread:

DDoS attack ahmed.dalaali () hrins net (Dec 09)
- Re: DDoS attack Christopher Morrow (Dec 09)
  - Re: DDoS attack Tim Požár (Dec 09)
    - Re: DDoS attack Alain Hebert (Dec 10)
  - Re: DDoS attack Mel Beckman (Dec 09)
    - Re: DDoS attack Christopher Morrow (Dec 09)
- Re: DDoS attack Filip Hruska (Dec 09)
  - Re: DDoS attack Mike Hammett (Dec 09)
  - Re: DDoS attack Florian Brandstetter via NANOG (Dec 09)
    - Re: DDoS attack Mike Lewinski (Dec 09)
    - Re: DDoS attack Töma Gavrichenkov (Dec 09)
    - Re: DDoS attack Brandon Martin (Dec 09)
    - Re: DDoS attack Sabri Berisha (Dec 09)
    - Re: DDoS attack Mark Tinka (Dec 09)
    - Re: DDoS attack Töma Gavrichenkov (Dec 10)
- Re: DDoS attack Jean | ddostest.me via NANOG (Dec 09)
- Re: DDoS attack Randy Bush (Dec 09)
- Re: DDoS attack william manning (Dec 09)
- RE: DDoS attack Paul Amaral via NANOG (Dec 10)

(Thread continues...)