DOS attack assistance?
j at jcoley.net
Wed Nov 26 04:50:39 CST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Pete Templin wrote:
> One of my customers, a host at 22.214.171.124, is feeling a "bonus"
> ~130kpps from 126.96.36.199. I've null-routed the source, though our
> Engine2 GE cards don't seem to be doing a proper job of that,
> unfortunately. The attack is a solid 300% more pps than our aggregate
> traffic levels.
> It's coming in via 6461, but they don't appear to have any ability to
> backtrack it. Their only offer is to blackhole the destination until
> the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS
> that has little if any information publicly visible.
> Any pointers on what to do next?
If it's all coming from that single IP 188.8.131.52, just request that
your upstream block it. Usually if you explain the situation to them
Otherwise you'll want to look at mitigation gear (Toplayer, Cisco, etc)
there are loads out there or you can look into a DDoS mitigation service.
The Contacts I can see for that ASN are
role: Technical Contact for ProXad
address: Free SAS / ProXad
address: 8, rue de la Ville L'Eveque
address: 75008 Paris
phone: +33 1 73 50 20 00
fax-no: +33 1 73 92 25 69
remarks: trouble: Information: http://www.proxad.net/
remarks: trouble: Spam/Abuse requests: mailto:abuse at proxad.net
source: RIPE # Filtered
abuse-mailbox: abuse at proxad.net
Hope that helps!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the NANOG