UDP Amplification DDoS - Help!

Rubens Kuhl rubensk at gmail.com
Tue Feb 9 03:14:55 UTC 2016


1. Move the website to DDoS-resistant reverse proxy like Cloudflare or
Incapsula, using its current IP address; won't make much of a difference as
attacker will go back to attacking the last known IP address.
2. Change the site IP address and only update it at the reverse proxy
provider, not at any DNS record whatsoever.

This should do the trick unless attacker starts a full-range CIDR block
attack, at which point your next escalation path is GRE-based DDoS
providers like, but not limited to, Black Lotus.


Rubens


On Mon, Feb 8, 2016 at 9:14 PM, Mitch Dyer <mdyer at development-group.net>
wrote:

> Hello,
>
> Hoping someone can point me in the right direction here, even just
> confirming my suspicions would be incredibly helpful.
>
> A little bit of background: I have a customer I'm working with that is
> downstream of a 1Gb link that is experiencing multiple DDoS attacks on a
> daily basis. Through several captures I've seen what appear to be a mixture
> of SSDP and DNS amplification attacks (though not at the same time). The
> attack itself seems to target the PAT address associated with a specific
> site, if we change the PAT address for the site, the attack targets the new
> address at the next occurance. We've tried setting up captures and logging
> inside the network to determine if the SSDP/DNS request originate within
> the network but that does not appear to be the case.
>
> We've reached out for some assistance from the upstream carrier but
> they've only been able to enforce a 24-hour block.
>
> I'm hoping someone with some experience on this topic would be able to
> shed some light on a better way to attack this or would be willing to
> confirm that we are simply SOL without prolonged assistance from the
> upstream carrier.
>
> Thanks in advance for any insight.
>
> Mitch
>
>


More information about the NANOG mailing list