Dealing with DDoS

Hi Redditors,

I've been helping with a new network lately and this network main issue comes in the form of DDoS, specifically volumetric attacks. According to the historic data since the beggining of the year this network has been attacked consistently 4 times, each time lasted between 2 - 4 weeks.

The network itself max internet capacity is roughly 2 Gbps, that comes in the form of 2x1Gbps circuits. What I've done so far to help them is:

• Hire a scrubbing provider
• Enable auto blackhole with help of upstreams (RTBH)

So far this worked ok, basically when attacks come the system in place issues an RTBH to the affected IP for 3 minutes, if we have many alerts for the same subnet, we engage the scrubber. But this comes with a price and is an increase in latency from certain key places (this network is located in asia and there's no real fix for this) that are a huge reason for customers to leave. They didn't pay attention to having increased latency for 1 hour or so, ocassionally, but when this happens 3 - 7 times a week they complain a lot. When there's just some ocassional attack it's ok, no problem, but the attacks being faced are to multiple random IPs every 10 - 180 seconds.

I've also installed a system that logs the attacks and reports the incidents to the NOC or Network-Abuse emails associated to the IPs, but a lot of the time this does nothing, major Internet companies around the world literally pay 0 attention to those emails (we get no reply at all and keep seeing the IPs doing the same), or directly the emails get bounced due to the accounts being full. Only the small ISPs usually take actions, but isn't enough.

According to my research we may at least get away with some of those attacks if we increased our capacity to at least 10 Gbps, while this won't 100% stop the attacks, at least would make sure the small ones do nothing. However the owners of the network are reluctant to do it due to the costs and the no assurances given. After all they're paying a ton of money for the scrubber.

My questions basically, have you dealt with this before? if so, how did you manage it? what would you do? Main constraint here is latency due to the geolocation of the network, getting a lot of bandwidth for certain Asia destinations that this network needs is really complicated and expensive and I'm really out of ideas on how to fight those attacks.