PlayStationNetwork blocking of CGNAT public addresses

Tony Wicks tony at wicks.co.nz
Fri Sep 16 21:40:04 UTC 2016


So the pain has finally flowed down to other parts of the world. (APNIC ran
out of IP's a long time ago, so CGN has been in use here for a lot longer)
This issue is one I have been dealing with for the last four years. Only
with Sony, no other company has caused such a headache in regard to CGNAT. I
will not go into the long and painful saga of dealing with the constant
issue of Sony putting blocks on random pool addresses, refusing to supply
sufficient information to identify rouge users (timestamp, source IP,
destination IP and port) then telling our customers it is a problem at the
ISP end, but... Something happened about three months ago that Proves that
if the Sony technical people want to get off their asses they are perfectly
capable of supplying adequate information to identify a rogue user for the
ISP to deal with. One of the local Sony PSN helpline managers actually
managed to convince one of their technical people to supply a spreadsheet
that magically contained sufficient information to allow us to identify a
couple of users that did indeed have multiple infections.  Great I thought,
now if we can just get them to automate/regularly sent this info we will
have a way forward. Alas, it appears it was a one off and we are back to the
start. I will quote below what the Sony Network guy said when explaining why
they can't send detailed information every time -


" From: SNEI-NOC-Abuse [mailto:SNEI-NOC-Abuse at am.sony.com] 
Sent: Thursday, 11 August 2016 8:38 AM
To: ##me##
Cc: ##helpful Sony guy## Subject: RE: PSN / Flip Network blocks

Hello,

There is quite a bit of extra computing power required to produce the CSV
file with timestamps and destination IP addresses.  We send out over 6000
emails per day which already takes a significant amount of resources and
time.  We tend to get around 20-30 responses.  Instead of wasting the
resources on all those emails we generate CSV files for those who respond.

We hope you understand.

Thank you for taking action on these."

So there you go, Sony can indeed solve this issue, but apparently a company
that makes computers has insufficient computing power and staff to do so. Oh
and after this, despite being asked many times they have never responded to
requests for the CSV or similar detailed info.




-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Simon Lockhart
Sent: Saturday, 17 September 2016 1:13 AM
To: nanog at nanog.org
Subject: PlayStationNetwork blocking of CGNAT public addresses

All,

We operate an access network with several hundred thousand users.
Increasingly we're putting the users behind CGNAT in order to continue to
give them an IPv4 service (we're all dual-stack, so they all get public IPv6
too). Due to the demographic of our users, many of them are gamers.

We're hitting a problem with PlayStationNetwork 'randomly' blocking some of
our CGNAT outside addresses, because they claim to have received anomalous,
or 'attack' traffic from that IP. This obviously causes problems for the
other legitimate users who end up behind the same public IPv4 address.

Despite numerous attempts to engage with PSN, they are unwilling to give us
any additional information which would allow us to identify the 'rogue'
users on our network, or to identify the 'unwanted' traffic so that we could
either block it, or use it to identify the rogue users ourselves.

Has anyone else come up against the problem, and/or have any suggestions on
how best to resolve it?

Many thanks in advance,

Simon




More information about the NANOG mailing list