Morning all
Having a small issue this morning - we are still able to work so at this point this is not an emergency, however we are currently receiving some sort of DDoS attack against our DNS servers.
Our DNS servers are public and in our DMZ. We have DNAT rules allowing DNS traffic.
The traffic is coming from only two sources.
The first source 209.205.73.131 (zz20920567131.clear-ddos.com)
The second source 72.8.190.97 (doesn't resolve for us)
Going to the clear-ddos.com domain I see it is advertising an ANTI-DDoS service of all things. So this seems to be an obvious scam (but who knows)
At any rate - I have tried to filter this traffic with no luck. I have created a firewall rule and put it in the #1 spot to DROP all traffic from these two sources. However when viewing the live log I continue to see excepted traffic from these two domains.
I have gone in under NAT and created a DNAT rule as well and put that in the #1 spot to block all DNS traffic from these sources. However when viewing the live log I continue to see excepted traffic from these two domains.
I have called tech support and they suggested creating a blackhole route which I did. However when viewing the live log I continue to see excepted traffic from these two domains.
So I guess the question is, how are you going about blocking offending traffic? I'm obviously not doing it right...
This thread was automatically locked due to age.
