DDoS Mitigation - Bandwidth Depletion

I’ve been searching around on the forums and haven’t found what I’m looking for. It seems like most of the attacks reported are small amounts of bandwidth from 1000s of sources or a little bit of traffic that consumes CPU cycles.

I’m seeing large chunks of bandwidth, much bigger than any plan we offer currently, coming from a handful of source IPs that aren’t always the same but are consistent thought the duration of any particular attack instance. My CCR is not having any system resource issues when this occurs. When in happens all my internal LAN traffic gets cut to 5-10% of normal and WAN traffic is maxing my fiber pipe out. I should have screen shot the data in torch since it didn’t really show up in netflow data correctly but I’ll see for example 77Mbps coming from one IP in China, 65Mbps coming from another, 46Mbps from one in Thailand, 44Mbps from one in Germany, etc. and maxes out the pipe until I add the IPs manually to a DDoS address list that drops the traffic or I wait the attack out. I’d like to automate this process since its becoming more common. I’d like to create a rule that if X IP generates 50+ MBps for more than 5sec than add it to the DDoS list. Any ideas?

Just throughput can be slightly misleading. What if someone downloads some huge amount of data intentionally from really capable server?

you could try traffic shaping to prevent your upload from being saturated by one user. It is considered an attack if the same source consistently performs it. Firewalls have an option of adding an ip to a list which you can than manipulate using a script. You can also block ips automatically by having the firewall drop traffic from ips of a list.

Most of our residential customers are NATed, this appears to all be input chain traffic on the WAN interface hitting the NAT public address. As I said, when it occurs our LAN traffic drops to 5-10% of normal (RX and TX) and the WAN traffic reaches the fiber pipes maximum downstream.

viewtopic.php?f=2&t=89180