Reaching out to Sony NOC, resolving DDoS Issues - Need POC

Damian Menscher damian at google.com
Wed Jan 29 00:18:32 UTC 2020


I recommend you *not* block the outgoing RST packets, as blocking them will
only make matters worse:
  - it leaves the webservers being abused for reflection in the half-open
SYN_RECV state, which may attract more attention (and blacklisting)
  - retries from those servers will increase the load to your network

Damian

On Tue, Jan 28, 2020 at 1:42 PM Octolus Development <admin at octolus.net>
wrote:

> Yes, my server would then respond with RST.
>
> Screenshot: https://i.imgur.com/ZVti2yY.png
>
> We've blocked outgoing RST, 136.244.67.19 was our test server.
>
> But even if the ip is not even exposed to the internet, services will
> blacklist us. Even if we don't respond, and block every request from the
> internet incoming & outgoing.
>
> On 28.01.2020 22:36:18, "Jean | ddostest.me via NANOG" <nanog at nanog.org>
> wrote:
>
> But you do receive the SYN/ACK?
>
> The way to open a TCP socket is the 3 way handshake. Sorry to write that
> here... I feel it's useless.
>
> 1. SYN
>
> 2. SYN/ACK
>
> 3. ACK
>
> Step 1: So hackers spoof the original SYN with your source IP of your
> network.
>
> Step 2: You should then receive those SYN/ACK packets with your network as
> the dst ip and SONY as the src ip. Can you catch a few and post the TCP
> flags that you see please? (This is step 2)
>
> You don't need sony or imperva for that. Just a sniffer at the right place
> in your network. You won't block anything, but we should see something
> very interesting that will help you fix this.
>
> If it is happening like you  are describing, you should see those packets
> and you should be able to capture them.
>
> No worries if you can't.
>
> Jean
> On 2020-01-28 11:31, Octolus Development wrote:
>
> I have tried numerous of times to reach out to Imperva.
>
> Imperva said Sony have to contact them & said they cannot help me because
> I am not a customer of theirs.
> Something Sony will not do. Sony simply stopped responding my emails after
> some time.
>
> But yes you are right.
>
> My IP's are being spoofed, spoofing SYN requests to hundreds of thousands
> of web servers. Which then results in a blacklist, that Imperva uses..
> which prevents me and my clients from accessing Sony's services.. because
> they use Imperva.
>
> On 28.01.2020 17:29:12, Tom Beecher <beecher at beecher.cc>
> <beecher at beecher.cc> wrote:
> Trying to summarize here, this convo has been a bit disjointed.
>
> Is this an accurate summary?
>
> - The malicious traffic with spoofed sources is targeting multiple
> different destinations.
> - The aggregate of all those flows is causing Impervia to flag your IP
> range as a bad actor.
> - Sony uses Impervia blacklists, and since Impervia has flagged your space
> as bad, Sony is blocking you.
>
> If that is true, my advice would be to go right to Impervia. Explain the
> situation, and ask for their assistance in identifying and or/reaching out
> to the networks that they are detecting this spoofed traffic coming from.
> The backscatter, as Jared said earlier, could probably help you a bit too,
> but Impervia should be willing to assist. It's in their best interests to
> not have false positives, but who knows.
>
> On Tue, Jan 28, 2020 at 6:17 AM Octolus Development <admin at octolus.net>
> wrote:
>
>> The problem is that they are spoofing our IP, to millions of IP's running
>> port 80.
>> Making upstream providers filter it is quite difficult, i don't know all
>> the upstream providers are used.
>>
>> The main problem is honestly services that reports SYN_RECV as Port
>> Flood, but there isn't much one can do about misconfigured firewalls.I am
>> sure there is a decent amount of honeypots on the internet acting the same
>> way, resulting us (the victims of the attack) getting blacklisted for
>> 'sending' attacks.
>>
>> On 28.01.2020 05:50:14, "Dobbins, Roland" <roland.dobbins at netscout.com>
>> wrote:
>>
>>
>> On Jan 28, 2020, at 11:40, Dobbins, Roland <Roland.Dobbins at netscout.com>
>> wrote:
>>
>> And even if his network weren't on the receiving end of a
>> reflection/amplification attack, OP could still see backscatter, as Jared
>> indicated.
>>
>>
>> In point of fact, if the traffic was low-volume, this might in fact be
>> what he was seeing.
>>
>> --------------------------------------------
>>
>> Roland Dobbins <roland.dobbins at netscout.com>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200128/9a305e50/attachment.html>


More information about the NANOG mailing list