[j-nsp] netflow/Tracking DDoS

[Eric Whitehill]

G'day! 

Over the last couple of days, I've been attempting to track down a nasty little DDoS attack which has been occuring on and off against a customer of mine.  I'm mainly a cisco guy, but the attacks the customer has been getting are increasing in size and amount, and I just can't put an ACL/netflow on any sort of Cisco (up to 20,000 pps, and filling an OC-3). 

I have an idea of what /20 the attack is destined for, but I just can't prove it.  I'd be working on M10's, version 5.7R2.4. I was thinking of doing some sort of policy map, but I'm not sure enough on how to do it.  Should I attempt to do something through firewall?  I would like to figure out the destination for the attack, and what packets it is consisting of.  I have been able to do a rate limit on several of the major targets (ICMP, port 135 bombs, etc) from my C-brand routers, but nothing seems to catch it.  

I'm not very Juniper savvy yet (working my way there!) so any assistance would be helpful, and at the next Nanog I see you at, if it works, I'll buy you a beer. 

-Eric 

--
Eric Whitehill - 44.58.39N, 93.15.56W
Onvoy - ericw at onvoy.com - ASN5006
"Out the Gig-E, through the router, down the OC-12's, over the leased line, off the bridge, past the firewall...nothing but Net."