Re: DDoS attack

[Christopher Morrow <morrowc.lists () gmail com>]

On Mon, Dec 9, 2019 at 3:42 PM Michael Sherlock
<michael.sherlock () hrins net> wrote:
> Cristopher,
>
> Ip addresses that are not currently in use, and IP addresses that is currently used for CGNAT for end users

I'm 100% sure that those words mean something to you.. but not
operating your network they don't mean anything to me.


> Regards,
>
> Michael Sherlock
> Mobile: +44 75070 92392
>
> Sent from my iPhone
>
> On Dec 9, 2019, at 8:36 PM, "ahmed.dalaali () hrins net" <ahmed.dalaali () hrins net> wrote:
>
> 
>
> Begin forwarded message:
>
> From: Christopher Morrow <morrowc.lists () gmail com>
> Subject: Re: DDoS attack
> Date: December 9, 2019 at 11:11:31 PM GMT+3
> To: "ahmed.dalaali () hrins net" <ahmed.dalaali () hrins net>
> Cc: nanog list <nanog () nanog org>
>
> I'd note that: "what prefixes?" isn't answered here... like: "what is
> the thing on your network which is being attacked?"
>
> On Mon, Dec 9, 2019 at 3:08 PM ahmed.dalaali () hrins net
> <ahmed.dalaali () hrins net> wrote:
>
>
> Dear All,
>
> My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP 
> Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not 
> used but still getting traffic with high volume.
> The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps
> When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out 
> which server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 
> source IP and UDP source port, didn’t help either
> Any suggestions?
>
> Regards,
> Ahmed Dala Ali