Network Under Attack. (DDoS)

HI all.

over the last two months we have noticed an increase in attacks against our network. now its very strange how they occur.
Suddenly a customer’s IP address is flooded with 1000’s of incoming connections each doing 1-30Mbit. well beyond the capabilities of the customers link but the connections come in and hit our border router and fill up all our Upstream provider links. In total 500Mbit of traffic out of thin air.

I have tried to use the firewall to temporarily ‘block’ the customers IP address but that does not stop the traffic.
I have only been able to stop the attack, by temporarily disabling the Advertisements of the effected /23 ip pool (that’s how we advertise them)
once it’s been disabled for about 5 minutes I re enable it as the attack has stopped.

This time the attack came from ip’s that are in the same /8 but that’s not narrowing it down at all 
Generally they come form all totally different IP’s sometimes they are DNS connections other times like this one they are UDP connections.


How can I supress / stop such attacks on a Mikrotik router without having to drop the BGP session to that IP pool.

This is not suitable for you?
http://wiki.mikrotik.com/wiki/DoS_attack_protection

portscan your customer being attacked. They probably have an IRC server running or something like that without their knowledge. You’ll do everyone a favor by identifying it and having them clean it up.

The attacks are all DNS ones.

basically getting 100000’s od DNS queries to our customers IP’s randomly.
lasts about 10 minutes.

Use a null route on border routers rather than a firewall rule: /ip route add distance=1 dst-address=N.N.N.N/32 type=blackhole

Contact your transit provider and see if they have a BGP blackhole (null route) community, you can then advertise the /32 customer IP with that community and that should stop ingress traffic.

Curious the IPs attacking you were from the same /8, possibly a large DDoS net but partitioned so only hosts in that /8 were used.