Reaching out to Sony NOC, resolving DDoS Issues - Need POC

• Previous message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Next message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Trying to summarize here, this convo has been a bit disjointed.

Is this an accurate summary?

- The malicious traffic with spoofed sources is targeting multiple
different destinations.
- The aggregate of all those flows is causing Impervia to flag your IP
range as a bad actor.
- Sony uses Impervia blacklists, and since Impervia has flagged your space
as bad, Sony is blocking you.

If that is true, my advice would be to go right to Impervia. Explain the
situation, and ask for their assistance in identifying and or/reaching out
to the networks that they are detecting this spoofed traffic coming from.
The backscatter, as Jared said earlier, could probably help you a bit too,
but Impervia should be willing to assist. It's in their best interests to
not have false positives, but who knows.

On Tue, Jan 28, 2020 at 6:17 AM Octolus Development <admin at octolus.net>
wrote:

> The problem is that they are spoofing our IP, to millions of IP's running
> port 80.
> Making upstream providers filter it is quite difficult, i don't know all
> the upstream providers are used.
>
> The main problem is honestly services that reports SYN_RECV as Port Flood,
> but there isn't much one can do about misconfigured firewalls.I am sure
> there is a decent amount of honeypots on the internet acting the same way,
> resulting us (the victims of the attack) getting blacklisted for 'sending'
> attacks.
>
> On 28.01.2020 05:50:14, "Dobbins, Roland" <roland.dobbins at netscout.com>
> wrote:
>
>
> On Jan 28, 2020, at 11:40, Dobbins, Roland <Roland.Dobbins at netscout.com>
> wrote:
>
> And even if his network weren't on the receiving end of a
> reflection/amplification attack, OP could still see backscatter, as Jared
> indicated.
>
>
> In point of fact, if the traffic was low-volume, this might in fact be
> what he was seeing.
>
> --------------------------------------------
>
> Roland Dobbins <roland.dobbins at netscout.com>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200128/d734297e/attachment.html>

• Previous message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Next message (by thread): Reaching out to Sony NOC, resolving DDoS Issues - Need POC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]