DDoS attack

Mon Dec 9 21:04:41 UTC 2019

On Mon, Dec 9, 2019 at 3:42 PM Michael Sherlock
<michael.sherlock at hrins.net> wrote:
>
> Cristopher,
>
> Ip addresses that are not currently in use, and IP addresses that is currently used for CGNAT for end users
>

I'm 100% sure that those words mean something to you.. but not
operating your network they don't mean anything to me.

>
> Regards,
>
> Michael Sherlock
> Mobile: +44 75070 92392
>
> Sent from my iPhone
>
> On Dec 9, 2019, at 8:36 PM, "ahmed.dalaali at hrins.net" <ahmed.dalaali at hrins.net> wrote:
>
> 
>
> Begin forwarded message:
>
> From: Christopher Morrow <morrowc.lists at gmail.com>
> Subject: Re: DDoS attack
> Date: December 9, 2019 at 11:11:31 PM GMT+3
> To: "ahmed.dalaali at hrins.net" <ahmed.dalaali at hrins.net>
> Cc: nanog list <nanog at nanog.org>
>
> I'd note that: "what prefixes?" isn't answered here... like: "what is
> the thing on your network which is being attacked?"
>
> On Mon, Dec 9, 2019 at 3:08 PM ahmed.dalaali at hrins.net
> <ahmed.dalaali at hrins.net> wrote:
>
>
> Dear All,
>
> My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used but still getting traffic with high volume.
> The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps
> When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source IP and UDP source port, didn’t help either
> Any suggestions?
>
> Regards,
> Ahmed Dala Ali
>
>