FYI, that looks like a Web Services Dynamic Discovery UDP amplification DDoS attack. https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html Very easily executed by a booter service.
You may want to have your hosting provider block all inbound traffic from reaching your server IP except TCP port 443 (or 80 or whatever port you actually use) somewhere upstream. This can help reduce the impact of DDoS attacks on your server.
Was gonna come to add that. That and maybe some UDP frags.
You may want to have your hosting provider block all inbound traffic from reaching your server IP except TCP port 443 (or 80 or whatever port you actually use) somewhere upstream.
Can also consider dropping by UDP source port on that 3072 and other common reflection vectors if you’ve got UDP-based destinations to deal with.
The SYN floods are a different beast; though probably not volumetric, needs enough capacity (TCP reverse proxies / LBs / etc) to handle that and possibly things like SYN cookies. I’ll let folks more versed than myself answer there, though. Roland probably has a deck ready to link
Good analyze Hugo,
I believe that all of this volumetric attack is just noise to hide the real attack that really killed your webserver.
TCP Flag: SYN: 100%
I would start with this line and I agree that Roland’s deck might have something about SYN flood.