Hi all
Many thanks for the lot of inputs we got on- and offlist!
Altough it didn't help to find the source of the attacks, it was - besides the support from our upstreams - very helpful to mitigate the (always changeing) floods.
For a few days it is silent now, and we hope it stays...
Regards, Patrick
At 07:02 08.08.2013, Jeroen Massar wrote:
On 2013-08-07 21:45, ZUGERNET NOC wrote: [..]
If someone of you can give me a hint on how to track down, WHO is causing this, I would really appreciate any help and may it be
very small. I know,
that technically such attacks are not trackable - but what I mean
is more: if someone can
share some "underground knowledge" with me to possibly finding
out which bot-net is
used (under the control of whom etc; we can share some netflow
capture with a huge
amount of source-ip-addresses) and possibly has
"underground-contacts" to find out
more about them...?
Instead of looking at the sources which tend to be spoofed, check what the destination is, typically it will show what the attackers wants to disable from the Internet and likely it is something that you did not want on your network. Of course if they are smart they are hitting your core network instead so that you are overloaded everywhere...
To avoid affecting your other customers, make sure you and your upstreams implement BCP-38 properly and possibly, depending on the target, ask your upstream to null-route the target, that way the traffic does not affect your other customers.
NetFlow btw will be not very useful btw, it might show some pattern, but without a pcap there will be little to state about what botnet it is.
Greets, Jeroen