[nsp-sec] Long lasting DDoS against us (158.38.130.17). Got flows?

[Rune Sydskjør]

We've had a DDoS against one of our web-servers for a long time now.
This has been ongoing for several months, even though we have filtered
most of it on our edge. Our edge router is dropping between 10-15k pps.
The server is running fine and dropping the rest of what's left of the
attack, so this is not
bothering us other than it is filling up logs etc.

We thought that this attack would end after a while, but now our
patience has ended. :-)

destination 158.38.130.17
tcp with ack flag
no payload
to and from ports all over the place

The source addresses are probably forged, but can anyone see packets
against 158.38.130.17?

We would appreciate any help in stopping this attack.

A small sample output from tcpdump:
14:21:10.279683 IP 122.232.48.84.45849 > 158.38.130.17.656: . ack 0 win
65535
14:21:10.280746 IP 60.182.63.93.43158 > 158.38.130.17.799: . ack 0 win 65535
14:21:10.281045 IP 114.28.238.29.55976 > 158.38.130.17.81: . ack 0 win 65535
14:21:10.281855 IP 114.225.17.90.826 > 158.38.130.17.8230: . ack 0 win 65535
14:21:10.285505 IP 115.152.228.26.254 > 158.38.130.17.55692: . ack 0 win
65535
14:21:10.288933 IP 123.76.4.18.912 > 158.38.130.17.1403: . ack 0 win 65535
14:21:10.299092 IP 115.236.161.18.27263 > 158.38.130.17.460: . ack 0 win
65535
14:21:10.299878 IP 58.52.46.140.587 > 158.38.130.17.49804: . ack 0 win 65535
14:21:10.318929 IP 123.160.244.36.976 > 158.38.130.17.58324: . ack 0 win
65535
14:21:10.330201 IP 117.116.167.235.140 > 158.38.130.17.49516: . ack 0
win 65535
14:21:10.332513 IP 120.67.125.40.6123 > 158.38.130.17.1021: . ack 0 win
65535
14:21:10.336977 IP 122.156.240.168.23035 > 158.38.130.17.150: . ack 0
win 65535
14:21:10.338557 IP 118.71.95.110.64406 > 158.38.130.17.576: . ack 0 win
65535
14:21:10.356412 IP 122.64.75.187.13777 > 158.38.130.17.122: . ack 0 win
65535

Regards,
Rune Sydskjør, UNINETT