From hoster (Hetzner) receive notification about that on my leased server is DDoS attack. Notice the following:
We have indications that your server has been attacked. Those responsible for this have been asked to solve the issue and to give us a statement on the cause of the attack.
> Direction IN
> Internal (here set my server address)
> Threshold of 200,000 Packets packets/s
> Sum 73.186.000 packets/300s (243.953 packets/s), 36.593 flows/300s (121 flows/s), 36,806 GByte/300s (1.005 MBit/s)
> External 188.8.131.52, 3.236.000 packets/300s (10.786 packets/s), 1.618 flows/300s (5 flows/s), 1,627 GByte/300s (44 MBit/s)
> External 184.108.40.206, 2.802.000 packets/300s (9.340 packets/s), 1.401 flows/300s (4 flows/s), 1,409 GByte/300s (38 MBit/s)
> External 220.127.116.11, 2.498.000 packets/300s (8.326 packets/s), 1.249 flows/300s (4 flows/s), 1,256 GByte/300s (34 MBit/s)
> External 18.104.22.168, 2.272.000 packets/300s (7.573 packets/s), 1.136 flows/300s (3 flows/s) 1,143 GByte/300s (31 MBit/s)
> External 22.214.171.124, 2.048.000 packets/300s (6.826 packets/s), 1.024 flows/300s (3 flows/s), 1,030 GByte/300s (28 MBit/s)
All letters came in 5 pieces, the time is random and patterns do not reveal as well a list of addresses from which come the requests to the server changes constantly.
Block address pools hoster does not intend to, and attacks take the channel down for 5 to 10 minutes. Block them via iptables is not an option, as the traffic from the ISP router to the server will still be clogged
What better to do in this situation?