On 2013-08-07 21:45, ZUGERNET NOC wrote: [..]
If someone of you can give me a hint on how to track down, WHO is causing this, I would really appreciate any help and may it be very small. I know, that technically such attacks are not trackable - but what I mean is more: if someone can share some "underground knowledge" with me to possibly finding out which bot-net is used (under the control of whom etc; we can share some netflow capture with a huge amount of source-ip-addresses) and possibly has "underground-contacts" to find out more about them...?
Instead of looking at the sources which tend to be spoofed, check what the destination is, typically it will show what the attackers wants to disable from the Internet and likely it is something that you did not want on your network. Of course if they are smart they are hitting your core network instead so that you are overloaded everywhere...
To avoid affecting your other customers, make sure you and your upstreams implement BCP-38 properly and possibly, depending on the target, ask your upstream to null-route the target, that way the traffic does not affect your other customers.
NetFlow btw will be not very useful btw, it might show some pattern, but without a pcap there will be little to state about what botnet it is.
Greets, Jeroen