DDoS attack

Christopher Morrow morrowc.lists at gmail.com
Mon Dec 9 20:31:30 UTC 2019


I'm going to take a guess that ahmed is:
  AS      | BGP IPv4 Prefix     | AS Name
198735  | 185.51.220.0/22     | HRINS-AS, IQ
198735  | 185.51.220.0/24     | HRINS-AS, IQ
198735  | 185.51.221.0/24     | HRINS-AS, IQ
198735  | 185.51.222.0/24     | HRINS-AS, IQ
198735  | 185.51.223.0/24     | HRINS-AS, IQ
198735  | 217.145.228.0/22    | HRINS-AS, IQ
198735  | 217.145.228.0/24    | HRINS-AS, IQ
198735  | 217.145.229.0/24    | HRINS-AS, IQ
198735  | 217.145.230.0/24    | HRINS-AS, IQ
198735  | 217.145.231.0/24    | HRINS-AS, IQ
198735  | 5.1.104.0/21        | HRINS-AS, IQ
198735  | 5.1.104.0/24        | HRINS-AS, IQ
198735  | 5.1.105.0/24        | HRINS-AS, IQ
198735  | 5.1.106.0/24        | HRINS-AS, IQ
198735  | 5.1.107.0/24        | HRINS-AS, IQ
198735  | 5.1.108.0/24        | HRINS-AS, IQ
198735  | 5.1.109.0/24        | HRINS-AS, IQ
198735  | 5.1.110.0/24        | HRINS-AS, IQ
198735  | 5.1.111.0/24        | HRINS-AS, IQ

and that their upstream is:
  41032   | 62.201.210.181   | IQNETWORKS, IQ

and that ideally IQnetworks can block this traffic for them...

On Mon, Dec 9, 2019 at 3:17 PM Mel Beckman <mel at beckman.org> wrote:
>
> For short term relief, you might consider asking your upstream provider to block the unused IPs in your network that are being attacked. It may not get everything, but it could drop the volume considerably. Just be sure that the provider blocks them silently, without sending “no route to host” ICMP back to the hacker. That way the hacker won’t know that you’ve done anything and reshape his attack.
>
>  -mel
>
> > On Dec 9, 2019, at 12:11 PM, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> >
> > I'd note that: "what prefixes?" isn't answered here... like: "what is
> > the thing on your network which is being attacked?"
> >
> > On Mon, Dec 9, 2019 at 3:08 PM ahmed.dalaali at hrins.net
> > <ahmed.dalaali at hrins.net> wrote:
> >>
> >> Dear All,
> >>
> >> My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume.
> >> The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps
> >> When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either
> >> Any suggestions?
> >>
> >> Regards,
> >> Ahmed Dala Ali
>



More information about the NANOG mailing list