trocha infa ..
Dear peering partners,
Because I see only an information like "we are under attack" with no
technical information, I would like to provide some.
We experienced 20Gbps+ attacks facing some of our IP transit customers,
typicaly those having their own ASN and one or two smaller prefixes. The
mode they use is "carpet bombing", i.e. spread over the whole prefix.
Traffic is udp/0 -> udp/0, udp/389 -> udp/any and icmp type 3. Packet
size varies. Sources spread over the world. They take longer time than
usual five minutes, we have seen such attacks taking up to two hours.
The most of such a traffic we got over DE-CIX, AMS-IX and IP transit
partners. Traffic over NIX.CZ is not significant.
Due to the attack characteristics, it is inefficient to use filtering
rule nor RTBH. It is possible to mitigate such an attack an efficient
way using more flowspec rules or TMS. Contact your upstream operators if
your uplinks become congested.