Yup … see them both ways (DOS and DDOS) but as mentioned most times it’s spoofed
From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jon Auer Sent: Thursday, September 10, 2015 12:14 PM To: Animal Farm <af@afmug.com> Subject: Re: [AFMUG] Strange DOS attack We've run into things like this before, but between our flow data--seeing it come in different upstreams, and it being sourced from UDP there's a good chance that the source IP was spoofed and it was actually coming from multiple sources->smallish DDoS On Wed, Sep 9, 2015 at 11:34 AM, Nate Burke <n...@blastcomm.com <mailto:n...@blastcomm.com> > wrote: Had an interesting DOS attack today, All sourced from a single IP Address to UDP Port 80 of the customer, running about 100mb/s and 160,000 pps. Coming from a Comcast Business IP, destined to a customer off an FSK Radio. Mitigating the traffic was easy, just drop the source at my network edge, but I've never seen a DOS where it's only from a single IP Address. And it's been going on for like 30 min. Usually see it coming in from 100's of Source IP's. Nate