We had a DDoS attack that affected our gateway, but it targeted the "Brandmeister" servers for interlinking digital voice repeaters, that were hosted on our network. (some on the same ESXi server as the gateway and some on another location linked by a radio link) This took down our connectivity as we got >200 Gbit/s of traffic and the gateway only as a 1 Gbit/s connection. The traffic in this case was "DNS reflection", i.e. DNS requests were sent by compromised PCs using a spoofed source address on AMPRnet, and the DNS servers were sending their replies to our gateway. Due to the high packet loss and the large replies these were mainly UDP fragments that would not re-assemble to complete datagrams. Of course it is bad that there still are so many ISPs that do not implement BCP38. But what can we do? However, more interesting is the cause of this attack: the maintainers of the Brandmeister system have a disagreement with the operators of the French gateway in that system and decided to disconnect it. The DDoS was done as a retaliation against that, probably by one or more French amateurs, not necessarily the gateway operators. (the disconnection of that gateway of course affected the repeater users in France, not only the operators) Like in your case, there were several waves of attacks. In the end, the affected addresses were nullrouted and the servers moved elsewhere. It might be that these same people are still looking for things to attack, and maybe they researched a bit how .ampr.org works and decided to attack the portal? (not effective against Brandmeister as our network is BGP routed) It is sad that people act this way, and the network operators do so little to prevent it. Rob