Re: UDP Amplification DDoS - Help!

[mike.lyon () gmail com]

Oodles of devices downstream of the 1G? Does the 1G terminate into a router or firewall?

Sounds like there is a compromised host downstream of the 1G that is reporting back it's source IP and that is why 
changing the IP doesn't help.

If you look at the PAT table, any oddities?

Good luck!

-Mike

> On Feb 8, 2016, at 15:14, Mitch Dyer <mdyer () development-group net> wrote:
>
> Hello,
>
> Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly 
> helpful.
>
> A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing 
> multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and 
> DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated 
> with a specific site, if we change the PAT address for the site, the attack targets the new address at the next 
> occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request 
> originate within the network but that does not appear to be the case.
>
> We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block.
>
> I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this 
> or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier.
>
> Thanks in advance for any insight.
>
> Mitch