TCP-AMP DDoS Attack - Fake abuse reports problem

• Previous message (by thread): TCP-AMP DDoS Attack - Fake abuse reports problem
• Next message (by thread): WISPA/ISP around Memphis
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yeah this type of attack is a pain in the ass to deal with.

Attacker is spoofing your IP addresses to millions of random web servers
all over the Internet that see it as a typical SYN Flood those with
automated reporting are likely blowing up OVH's abuse@ making a pain for
them as well.
However, OVH likely could easily check netflow or some other audit means to
see your server didn't actually send out SYN packets to these servers. They
likely are able to confirm the influx of inbound SYN-ACK packets that can
be up to six depending on the TCP/IP stack of the server.
The others are correct if you send out TCP Reset rejections you can tare
down these bad states on the victim reflector's side to avoid getting retry
SYN-ACK's.

At this point I would consider whatever IP that you have that's getting
attacked as burned, you're best bet is to drop those affected subnets and
get new ones and avoid getting them exposed to whoever is attacking you.

Spoofing issues has been the bane of any operator for years, till all the
ASN's are on board with proper anti spoofing, ddos abuse of spoofing will
be on-going and always an issue.

On Thu, 20 Feb 2020 at 15:18, Octolus Development <admin at octolus.net> wrote:

> A very old attack method called TCP-AMP ( https://pastebin.com/jYhWdgHn )
> has been getting really popular recently.
>
> I've been a victim of it multiple times on many of my IP's and every time
> it happens - My IP's end up getting blacklisted in major big databases. We
> also receive tons of abuse reports for "Port Scanning".
>
> Example of the reports we're getting:
> tcp: 51.81.XX.XX:19342 -> 209.208.XX.XX:80 (SYN_RECV)
> tcp: 51.81.XX.XX:14066 -> 209.208.XX.XX:80 (SYN_RECV)
>
> OVH are threatening to kick us off their network, because we are victims
> of this attack. And requesting us to do something about it, despite the
> fact that there is nothing you can do when you are being victim of an DDoS
> Attack.
>
> Anyone else had any problems with these kind of attacks?
>
> The attack basically works like this;
> - The attacker scans the internet for TCP Services, i.e port 80.
> - The attacker then sends spoofed requests from our IP to these TCP
> Services, which makes the remote service attempt to connect to us to
> initiate the handshake.. This clearly fails.
> ... Which ends up with hundreds of request to these services, reporting us
> for "port flood".
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200221/a16f8730/attachment.html>

• Previous message (by thread): TCP-AMP DDoS Attack - Fake abuse reports problem
• Next message (by thread): WISPA/ISP around Memphis
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]