I've been searching around on the forums and haven't found what I'm looking for. It seems like most of the attacks reported are small amounts of bandwidth from 1000s of sources or a little bit of traffic that consumes CPU cycles.
I'm seeing large chunks of bandwidth, much bigger than any plan we offer currently, coming from a handful of source IPs that aren't always the same but are consistent thought the duration of any particular attack instance. My CCR is not having any system resource issues when this occurs. When in happens all my internal LAN traffic gets cut to 5-10% of normal and WAN traffic is maxing my fiber pipe out. I should have screen shot the data in torch since it didn't really show up in netflow data correctly but I'll see for example 77Mbps coming from one IP in China, 65Mbps coming from another, 46Mbps from one in Thailand, 44Mbps from one in Germany, etc. and maxes out the pipe until I add the IPs manually to a DDoS address list that drops the traffic or I wait the attack out. I'd like to automate this process since its becoming more common. I'd like to create a rule that if X IP generates 50+ MBps for more than 5sec than add it to the DDoS list. Any ideas?