Hello -
I am hoping to get some confirmation of what I believe to be a ddos attack and possible mitigation strategy.
I am a Network Admin with a small ISP. Occasionally (maybe once per month) I will see a sudden spike in overall bandwidth usage, for instance a sudden jump by 2,3,4 Gig. During peak usage we are typically < 10G. These typically last 15-30 minutes then disappear and have never appeared to have an adverse affect on customer experience. I usually discover these after they occur. I recently caught one as it was happening, did some packet capture, and identified a single customer endpoint where the vast majority of traffic was going. In the capture I saw an extremely high rate of "Fragmented IP Protocol UDP 17" packets coming from many IP sources, all unacknowledged by the customer device (all one way traffic).
In an attempt to mitigate this I first locked the customers' ethernet port at their endpoint but this expectedly did not affect traffic. I next cleared their IP lease from our core router. This caused the core router to become unresponsive; I was unable to CLI into the device and traffic monitors showed network traffic completely dropped out. This behavior lasted about 15 minutes at which point everything returned to normal.
I am now assuming that by clearing the IP lease from the core router the ddos traffic incoming had no destination and in some way "overwhelmed" the core router, causing the unresponsiveness and complete drop in traffic. I am also assuming that the return to normal behavior was probably only due to the ddos traffic coming to an end.
Does this sound like a reasonable assessment and any thoughts on mitigating something like this ?
Thank you.
This thread was automatically locked due to age.
