Reaching out to Sony NOC, resolving DDoS Issues - Need POC

• Previous message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Next message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One approach would be to trace the true origin of the spoofed packets, and
get it filtered by their upstream.  To that end, can you share some details
of a recent tcp-amp attack?  Eg, the victim IP and a timestamp?

Damian

On Mon, Jan 27, 2020 at 12:06 PM Octolus Development <admin at octolus.net>
wrote:

> Hey everyone, decided to do a small update for those who are interested.
>
> - Sony reached out to me, they whitelisted our IP's temporarily but then
> removed them. We have not heard from them since (10th January)
> - We tracked down the cause of the blacklist, it is happening because we
> are a victim of a TCP-AMP DDoS Attack.
>
> The TCP-AMP Attack works like this;
> - The attacker spoofs our server's ip, to thousands of services running a
> web server on port 80.
> - These web services, then respond back to our server - thinking we're the
> one that made a request.
>
> It seems like hundreds of these web servers that are receiving those
> spoofed requests from our IP, runs CSF or some kind of firewall system that
> automatically detects many connections to their web server. And
> automatically reports it to multiple different services, which ends up in
> us getting blacklisted.
>
> Imperva, which is what Sony uses are importing blacklists from multiple
> different trusted databases.. Which is how we're getting banned by Sony.
> Which uses Imperva on all their services, as their web firewall.
>
> The solution? There isn't really any. We are the victim here, the
> attackers are spoofing attacks from our IP's - and the services that are
> reflecting back to us, are reporting us for "attacking" them even though
> the requests are fully spoofed.
>
> On 10.01.2020 19:51:10, Mark Milhollan <mlm at pixelgate.net> wrote:
> On Fri, 10 Jan 2020, Octolus Development wrote:
>
> >I run a VPN Business dedicated to protecting clients from DDoS Attacks
> >that happens "all day long" on PlayStation Network. We need our VPN to
> >work on PSN, all our customers uses their service.
> >
> >They are still investigating the problem, let's see what the results will
> be.
>
> Does your VPN provide what Sony cares about, which I do not know but
> might include things like only exiting CH customers via CH end-points /
> proxies so that non-CH (e.g., UK) only content can be blocked -- if not
> you may never gain traction with them and even if you do it might be
> quite hard to prove to their satisfaction.
>
>
> /mark
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200127/7a43d542/attachment.html>

• Previous message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Next message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]