Reaching out to Sony NOC, resolving DDoS Issues - Need POC

• Previous message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Next message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It is impossible to find the true origin of where the spoofed attacks are coming from.

I don't have an exact timestamp, because the attacks are really difficult to see as well. As I said, you can block the IP from accessing internet completely. Yet, some services will flag our IP as "port flooding" their service - despite the fact it's fully spoofed.

We received multiple flags at OVH of port flooding.

This was one of the reports we got:
tcp: 51.81.119.7:30364 -> 209.208.32.250:80 (SYN_RECV)
tcp: 51.81.119.7:41535 -> 209.208.32.250:80 (SYN_RECV)
tcp: 51.81.119.7:1089 -> 209.208.32.250:80 (SYN_RECV)
tcp: 51.81.119.7:4433 -> 209.208.32.250:80 (SYN_RECV)

On 27.01.2020 21:29:11, Damian Menscher <damian at google.com> wrote:
One approach would be to trace the true origin of the spoofed packets, and get it filtered by their upstream. To that end, can you share some details of a recent tcp-amp attack? Eg, the victim IP and a timestamp?

Damian

On Mon, Jan 27, 2020 at 12:06 PM Octolus Development <admin at octolus.net [mailto:admin at octolus.net]> wrote:

Hey everyone, decided to do a small update for those who are interested.

- Sony reached out to me, they whitelisted our IP's temporarily but then removed them. We have not heard from them since (10th January)
- We tracked down the cause of the blacklist, it is happening because we are a victim of a TCP-AMP DDoS Attack.

The TCP-AMP Attack works like this;
- The attacker spoofs our server's ip, to thousands of services running a web server on port 80.
- These web services, then respond back to our server - thinking we're the one that made a request.

It seems like hundreds of these web servers that are receiving those spoofed requests from our IP, runs CSF or some kind of firewall system that automatically detects many connections to their web server. And automatically reports it to multiple different services, which ends up in us getting blacklisted.

Imperva, which is what Sony uses are importing blacklists from multiple different trusted databases.. Which is how we're getting banned by Sony. Which uses Imperva on all their services, as their web firewall.

The solution? There isn't really any. We are the victim here, the attackers are spoofing attacks from our IP's - and the services that are reflecting back to us, are reporting us for "attacking" them even though the requests are fully spoofed.
On 10.01.2020 19:51:10, Mark Milhollan <mlm at pixelgate.net [mailto:mlm at pixelgate.net]> wrote:
On Fri, 10 Jan 2020, Octolus Development wrote:

>I run a VPN Business dedicated to protecting clients from DDoS Attacks
>that happens "all day long" on PlayStation Network. We need our VPN to
>work on PSN, all our customers uses their service.
>
>They are still investigating the problem, let's see what the results will be.

Does your VPN provide what Sony cares about, which I do not know but
might include things like only exiting CH customers via CH end-points /
proxies so that non-CH (e.g., UK) only content can be blocked -- if not
you may never gain traction with them and even if you do it might be
quite hard to prove to their satisfaction.


/mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200127/dcc8605a/attachment.html>

• Previous message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Next message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]