We've run into things like this before, but between our flow data--seeing it come in different upstreams, and it being sourced from UDP there's a good chance that the source IP was spoofed and it was actually coming from multiple sources->smallish DDoS
On Wed, Sep 9, 2015 at 11:34 AM, Nate Burke <n...@blastcomm.com> wrote: > Had an interesting DOS attack today, All sourced from a single IP Address > to UDP Port 80 of the customer, running about 100mb/s and 160,000 pps. > Coming from a Comcast Business IP, destined to a customer off an FSK > Radio. Mitigating the traffic was easy, just drop the source at my network > edge, but I've never seen a DOS where it's only from a single IP Address. > And it's been going on for like 30 min. Usually see it coming in from > 100's of Source IP's. > > Nate >
