We had two IPs on our network attacked in the last few days. We've had this happen a couple of times before, but it seems this is becoming more common with all the bad router firmware out there.
The two attacks we had were somewhat different, but similar effects.
The first one was a lot of bandwidth being sent at one IP address. Once we saw the unusually high bandwidth early in the morning I ran torch to try and see what IP was involved, but that didn't quite work. Most of the bandwidth was listed under 0.0.0.0 for some reason. So I captured some packets and found the IP and blocked the traffic with a raw firewall rule. That solved issues with the traffic filling up our downstream wireless backhauls and everything returned to normal after a short period of time.
The second attack was harder to spot because things were mostly working. We had random high pings over one of our downstream links, but there wasn't that much traffic on it. Found the AP that was being overloaded and tracked down the user that was consuming all the bandwidth on that AP and blocked that IP at the tower. Things seemed to be fine but every now and then we'd get the random high pings again.
I moved the block to the internet router and noticed that the counter was showing hundreds of thousands of packets being blocked. A packet capture showed that the packets were coming from sequential IPs one packet at a time and only 60bytes. The bandwidth used was like 50-60Mbps, but it was two thirds of the packets coming in.
I was just thinking that maybe there was a clever way to set up some rules to limit or block traffic that exceeded certain limits to a single IP, or maybe just send an email or something to let us know we need to look into things.
Anyone have any tips and tricks for dealing with this sort of thing? TIA.