TCP-AMP DDoS Attack - Fake abuse reports problem

• Previous message (by thread): QUIC traffic throttled on AT&T residential {5403687}
• Next message (by thread): TCP-AMP DDoS Attack - Fake abuse reports problem
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A very old attack method called TCP-AMP ( https://pastebin.com/jYhWdgHn [https://pastebin.com/jYhWdgHn] ) has been getting really popular recently. 

I've been a victim of it multiple times on many of my IP's and every time it happens - My IP's end up getting blacklisted in major big databases. We also receive tons of abuse reports for "Port Scanning".

Example of the reports we're getting:
tcp: 51.81.XX.XX:19342 -> 209.208.XX.XX:80 (SYN_RECV)
tcp: 51.81.XX.XX:14066 -> 209.208.XX.XX:80 (SYN_RECV)

OVH are threatening to kick us off their network, because we are victims of this attack. And requesting us to do something about it, despite the fact that there is nothing you can do when you are being victim of an DDoS Attack.

Anyone else had any problems with these kind of attacks?

The attack basically works like this;
- The attacker scans the internet for TCP Services, i.e port 80.
- The attacker then sends spoofed requests from our IP to these TCP Services, which makes the remote service attempt to connect to us to initiate the handshake.. This clearly fails.
... Which ends up with hundreds of request to these services, reporting us for "port flood".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200220/63baf902/attachment.html>

• Previous message (by thread): QUIC traffic throttled on AT&T residential {5403687}
• Next message (by thread): TCP-AMP DDoS Attack - Fake abuse reports problem
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]