[nsp-sec] Synflood to 194.109.147.174/32, if you have time, assistance appreciated.

Scott A. McIntyre scott at xs4all.net
Tue Feb 3 12:39:07 EST 2009 

Hello all,

For the last 3 weeks 194.109.147.174/32 has been under a series of  
DDoS attacks.  Starting with ack-floods it has since moved to 80/tcp  
syn floods.  The system *should* run a http server, so blocking 80/tcp  
to that IP is not desirable.   The attack has varied in strength but  
tended to hover around the 20-50Mbit @ 150K to 170Kpps range.

Unfortunately the flows show a lot of spoofing on the source of the  
traffic, and almost all of it is coming in on our peering connection  
at AMS-IX, which makes tracking it further extremely difficult.   
Example:

2009-02-03 17:05:59.724    38.109.64.109  59296  194.109.147.174     80
2009-02-03 17:05:27.485   208.211.93.109  59192  194.109.147.174     80
2009-02-03 17:05:13.497     4.98.125.110  21806  194.109.147.174     80
2009-02-03 17:05:52.849  120.195.180.112  27567  194.109.147.174     80
2009-02-03 17:05:27.071    91.73.198.113   1382  194.109.147.174     80
2009-02-03 17:06:03.173   123.212.78.114  35954  194.109.147.174     80
2009-02-03 17:05:26.840  172.112.230.114   1782  194.109.147.174     80
2009-02-03 17:05:20.887  187.129.212.115  29723  194.109.147.174     80
2009-02-03 17:05:16.048   67.227.238.115  59100  194.109.147.174     80
2009-02-03 17:05:20.561    9.224.141.116  30359  194.109.147.174     80
2009-02-03 17:05:45.616   137.61.237.116  12950  194.109.147.174     80
2009-02-03 17:06:02.097   139.24.234.117   4614  194.109.147.174     80
2009-02-03 17:05:16.222    24.127.22.119  56252  194.109.147.174     80
2009-02-03 17:05:12.393   19.190.122.120  61724  194.109.147.174     80
2009-02-03 17:05:35.036  222.242.194.123  30140  194.109.147.174     80
2009-02-03 17:05:49.793   68.107.189.124  16736  194.109.147.174     80

If you had a minute and were part of a network with a presence at AMS- 
IX, and you peer with 3265, I'd certainly appreciate it if you could  
check your flows or even better, do some egress filtering.  ;-)  (And  
if I'm missing some simple and cunning way to get JunOS 7 to tell me  
which peer is spewing this crap at me, I'd love that advice too!)

Thanks in advance for any assistance you can provide!

Scott A. McIntyre
XS4ALL Internet B.V.

More information about the nsp-security mailing list