Need help deciphering logs, potential attack?

About a week ago, I lost connectivity at my core. My core router became virtually inaccessible. I could only log on remotely for a couple of seconds before I would get kicked. Once I got onsite, it was still the same way. I could log in for just a couple of seconds before I would get booted.
I could not create a support file. The only tidbits of info I retrieved is that the cpu was at 100% and I took a screenshot of the log.
I also noticed the wan port of my RB1100 was totally saturated, even though the traffic was going nowhere.

I rebooted the RB1100 and as soon as it came back up the same thing happened. I unplugged the wan port and the router was accessible again. I replugged the wan port and the issue would happen again. I took my ip off the wan port and my router then stayed functional. When I torched the wan port, I saw that the bulk of the traffic was coming from quite a few different ip’s but I did not get a screenshot.

I rebooted the router once again along with the fiber converter that’s in between my RB1100 and the fiber connection from my isp.

When it came back up the last time, things were back to normal.

I attached the screenshot of my log and the only thing it shows is a BFD error? Does that tell a person anything?

Is there a way to tell if the traffic was from an attack? Could a faulty network component cause the issue I was having. My isp said they did see my traffic spike through their network when the issue happened so it wasn’t some false reading that I was getting.

It sounds like you got DDoS’ed hard.

The BFD problems were due to the CPU going 100% constantly and not being able to keep up with BFD updates, and the OSPF peer went down as well because of the BFD fails. But the BFD failed only because of the DDoS.

It was maxing out the gigabit port on my router. Didn’t realize a DDOS attack could generate that kind of traffic.

Dang, what are some steps a person can take to combat a DDOS attack?

Not much really. You can get a more powerfull router to deal with the DDoS CPU wise, so your router doesnt actually die under attack. (which would prevent BDF and OSPF flapping as well)

But if the attack was maxing your upstream connectivity, it would still have a negative impact on your customers. Sadly, there is not much you can do. DDoS attacks have took down even the most major sites recently (LulzSec took down quite a few US gov sites even)

hah well congrats I remember my first ddos attack oh those were the days

synfloods are difficult, if there spoofed which appears to be half open connections from thousands of thousands
there designed to consume your resources, look up the forums on some synflood filter rules, BUT BEWARE, creating these rules them selfs to drop the packets IT SELF will use up cpu resources.

so the idea is to for eg, if your natting try lower the connection tracking connections lower, obviously this can effect services, think carefully about that it .

if your routing well, if you keep getting these your gona have to get a more powerful box, or some kind of
clever BGP / ospf load balancing, over to another router, so that when a link is saturated make it shift over to a different cost link/router, or perhaps VRRP.

You can keep your network live if you can spread the “CPU” resources though multiple routers

As for the throughput, if you think you have enough resources you can try filter it, but you cant stop incoming traffic
unless you have further control of the upstream router and filter it also there.

End all its very difficult to stop, Try take note if the attacker was DST the IP of the ROUTER it self OR a Customer?
DDOS attacks are very commonly within the IRC community, perhaps you have a customer who chats on IRC, with a bit of a smart mouth, and someone tought him a lession.

Or the attacker knew your shit cant handle his wrath and he targeted the core router…

Also it might be time to start putting some kinda priority on your routing protocols.. thats if the Router can handle the resources.