Re: [44net] Sustained DDOS attack

We have a customer with a misconfigured router being used as a DDoS amplification. Sorry about it, I play whack-a-mole with them but sometimes I miss one or two. On the bright side it gives me visibility over Hamnet's particular issue (and our customer is putting just around 600 Kbps) I can tell you that AMPRNet is suffering an ongoing DNS based DDoS attack since Sep 23rd , 10:00 UTC. The destination addresses are two: 44.37.62.8 44.72.200.252 The traffic profile is a classic DNS DDoS. Large UDP packets with source port 53 and fragments (which on Netflow flows appear as source and destination port 0). Mitigating this is particularly easy. Use an “internal” DNS resolver with a different IP address and make sure your upstream filters large UDP packets with popular DDoS source ports such as 53 (DNS), 123 (NTP), etc and fragments. No need to drop them all but you can cap them at, say, 100 Mbps so that they won’t flood your network port. Avoid fragmentation wherever possible of course. And setting up some Netflow monitoring is mandatory, so that you can quickly characterize hostile traffic. As long as you have proper monitoring, you can ask your upstream to accept FkowSpec rules from you. FlowSpec is a specification to transport IP filtering configuerations over BGP so that you can install limited filters on your upstream router without their intervention. Other sype of DDoS attacks, such as a TCP Syn flood can be a bit more complicated to mitigate and the best strategy is to use operating systems with enough resources and proper mechanisms (such as TCP syncookies) to withstand it. Blackholing is a last resource measure. Cheers, Borja - EA2EKH