Do you have or can you get RTBH setup with UCSD? So from the 44net gateway box you can announce problematic /32s or larger with a black hole community e.g :666, which they then null route on their borders? Also that they then propagate to their upstreams.
This is a very common simple setup. If today the 44net space is static routed from UCSD to the gateway box then you could still do private BGP with them which only the blackhole prefixes are announced, leaving the static in place for the covering routes.
On Mon, 27 Sep 2021 at 22:12, Chris Smith via 44Net 44net@mailman.ampr.org wrote:
There has been a plan in place to upgrade the link to 10Gb/s for nearly a year, there were two attempts at upgrading which failed due to the new link not working, but UCSD have now identified the issue and the upgrade has been expedited and, all being well, it will be upgraded within the next week or two.
Of course that just means the next DDOS will be hitting the gateway much harder, but at least we will have some decent headroom under normal circumstances.
73, Chris - G1FEF
On 27 Sep 2021, at 09:20, Tim de Boer via 44Net 44net@mailman.ampr.org
wrote:
I agree with Rob! Normally you should start upgrading the connection if
the
average reaches 50% of it's capacity
-- Tim (PH4T)
On Mon, 27 Sept 2021 at 10:03, Rob PE1CHL via 44Net <
44net@mailman.ampr.org>
wrote:
Yes it would be worthwile to research (with the IP address as
information)
what could be the reason behind this. Assuming it was not 44.0.0.1 but some amateur's IP, it could be some retaliation against that person and they may be able to
identify a
likely source and legal action may be possible.
Aside from that, I think there is too little headroom on this connection and it needs to be upgraded to 10Gbit or some teamed 1Gbit links when that is more practical. The background noise already takes up 650Mbit/s of the 1Gbit/s
available...
Rob
On 9/27/21 9:33 AM, Marius Petrescu via 44Net wrote:
Tnx. Chris for the update.
I'm still wondering what the goal of such an attack is...
On 27/09/2021 10:30, Chris Smith via 44Net wrote:
So, it was a TCP port 80 attack directed against one IP address.
I passed this on to my contacts at CAIDA who passed it onto the UCSD
NOC who have got the IP blocked.
The traffic has now returned to normal.
Chris - G1FEF
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net