Flood

mnet · May 29, 2006, 4:06am

Hi,

Want to ask, what can we do to prevent the flooding from outside network? recently we have veen flooded by 51mbps flood, 50mbps flood and today 25mbps flood of udp packets

And yes our network is down for 5 - 30 minutes. supposed the attacker happy

Our upstream provider quickly block the source address. but it takes time too.

IS There anything that i can do to block this kind of things? because our upstream provider said that, nothing we can do either. even they got flood too sometimes.

I saw www.astaro.com software/hardware, and it look interestig. any ideas?

NB: we have firewall everywhere…linux based (shorewall).

=======================================
napxxx@GW2.nap.xxxxxx> show log /var/tmp/sample | match 199.237.205.118
# May 27 15:02:52 xxx.xxx.xxx.xxx 199.237.205.118 53 4483 17 0x0 73 70 0x0 0x0
# May 27 15:02:52 xxx.xxx.xxx.xxx 199.237.205.118 53 4483 17 0x0 73 70 0x0 0x0
# May 27 15:02:52 xxx.xxx.xxx.xxx 199.237.205.118 53 4483 17 0x0 73 70 0x0 0x0
# May 27 15:02:52 xxx.xxx.xxx.xxx 199.237.205.118 53 4483 17 0x0 73 70 0x0 0x0
# May 27 15:02:52 xxx.xxx.xxx.xxx 199.237.205.118 53 4483 17 0x0 73 70 0x0 0x0
# May 27 15:02:52 xxx.xxx.xxx.xxx 199.237.205.118 53 4483 17 0x0 73 70 0x0 0x0
# May 27 15:02:53 xxx.xxx.xxx.xxx 199.237.205.118 53 4483 17 0x0 73 70 0x0 0x0
# May 27 15:02:53 xxx.xxx.xxx.xxx 199.237.205.118 53 4483 17 0x0 73 70 0x0 0x0
# May 27 15:02:53 xxx.xxx.xxx.xxx 199.237.205.118 53 4483 17 0x0 73 70 0x0 0x0
.
.
.
==================================

znet · May 29, 2006, 6:28am

If the source IP is known and you have firewalls everywhere, why dont you setup a rule to block the offending IP?

If the IP changes, why dont you start blocking entire netblocks starting with /24 then /16 , even /8’s until they get the idea?

Null routing these netblocks might block some desired destinations, but that price might be less than price of the downtime of the attacks.

IF they are APNIC or RIPE offenders, shutdown entire /8 netblocks. That will flesh out a lot of troublemakers.

Since I dont know your topology, cant really recommend hardware devices specifically, but there are devices that can be used to trigger an event that will at least let you catch it quickly.

Just wondering…