UDP Amplification DDoS - Help!


Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly helpful.

A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated with a specific site, if we change the PAT address for the site, the attack targets the new address at the next occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request originate within the network but that does not appear to be the case.

We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block.

I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier.

Thanks in advance for any insight.


Oodles of devices downstream of the 1G? Does the 1G terminate into a router or firewall?

Sounds like there is a compromised host downstream of the 1G that is reporting back it's source IP and that is why changing the IP doesn't help.

If you look at the PAT table, any oddities?

Good luck!


It's much more likely that the attacker is just following the DNS changes.

Not quite sure what kind of info / confirmation you are looking for...

There are lots of articles (do a google search) on this topic as well as mitigation ...





Faisal Imtiaz
Snappy Internet & Telecom

Take a look at this .pdf preso:


Who's the upstream? Is it the sole upstream You may well not be speaking to the right folks there, the ones who can provide assistance.

Also note that there are multiple overlay MSSPs who can potentially help, as well, apart from the immediate upstream.

Hi Mitch.

My colleagues in the US dealt with something like this and I have dealt with something similar to this in Australia.
Does your customer happen to be a school district?

In our cases it turned out to be students buying Ddos as a service and targeting the address which comes up when they go to www.whatismyip.com<http://www.whatismyip.com>.
So the attack would constantly change and follow the network when there was an IP block put in place at the upstream.

In my opinion, there are a few options to this:
1)The best solution is to use a comprehensive cloud based Ddos mitigation solution.
2) Use a cgnat to dynamically map to different external addresses and change them dynamically when there is a Ddos, while putting he used addresses in a black hole.
3) Another could be to use an external proxy service where you proxy your outbound requests to. So they will eventually become the target. However this moves the problem elsewhere and still exposes you to Ddos if they know your Cpe address.
4) In combination with this, you can perform incident response check your logs, turn on authentication, so you know when users are browsing for whatismyip and Ddos attack services.

James Tin
APJ Principle Enterprise Security Architect
Akamai Technologies
+61 466 961 555
Level 7, 76 Berry St, North Sydney
Australia 2060

use a CDN provider or AWS ELBs or something to absorb the attacks?

You haven't indicated what the actual inbound attack volume is. If it's
something your network core can handle, you can block the attack fingerprint
upstream so it does not reach the 1Gb link. If it's UDP amplification
chances are you can create a firewall rule.


1. Move the website to DDoS-resistant reverse proxy like Cloudflare or
Incapsula, using its current IP address; won't make much of a difference as
attacker will go back to attacking the last known IP address.
2. Change the site IP address and only update it at the reverse proxy
provider, not at any DNS record whatsoever.

This should do the trick unless attacker starts a full-range CIDR block
attack, at which point your next escalation path is GRE-based DDoS
providers like, but not limited to, Black Lotus.


You could use multiple PAT addresses to find the source of information
for the attacker and to reduce the impact by filtering/QOS.

TCP connections PAT IP1 (block UDP before going to the 1G line)
UDP connections PAT IP2

webservers connecting to api hosts - PAT IP3
webservers remaining connections - PAT IP4