Reaching out to Sony NOC, resolving DDoS Issues - Need POC
Jean | ddostest.me
jean at ddostest.me
Thu Jan 30 22:08:25 UTC 2020
I'm a bit confused as I thought it was the other way around.
No big deal though. So these SYN don't have options which is not normal
today. It was in the previous millenium. You should see more options.
What you can do is filter SYN based on packet length. 54 bytes is your
signature here. The hacker is using hping3 or some basic rudimentary tools.
Cheers
Jean
On 2020-01-28 16:41, Octolus Development wrote:
> Yes, my server would then respond with RST.
>
> Screenshot: https://i.imgur.com/ZVti2yY.png
>
> We've blocked outgoing RST, 136.244.67.19 was our test server.
>
> But even if the ip is not even exposed to the internet, services will
> blacklist us. Even if we don't respond, and block every request from
> the internet incoming & outgoing.
>>
>> On 28.01.2020 22:36:18, "Jean | ddostest.me via NANOG"
>> <nanog at nanog.org> wrote:
>>
>> But you do receive the SYN/ACK?
>>
>> The way to open a TCP socket is the 3 way handshake. Sorry to write
>> that here... I feel it's useless.
>>
>> 1. SYN
>>
>> 2. SYN/ACK
>>
>> 3. ACK
>>
>> Step 1: So hackers spoof the original SYN with your source IP of your
>> network.
>>
>> Step 2: You should then receive those SYN/ACK packets with your
>> network as the dst ip and SONY as the src ip. Can you catch a few and
>> post the TCP flags that you see please? (This is step 2)
>>
>> You don't need sony or imperva for that. Just a sniffer at the right
>> place in your network. You won't block anything, but we should see
>> something very interesting that will help you fix this.
>>
>> If it is happening like you are describing, you should see those
>> packets and you should be able to capture them.
>>
>> No worries if you can't.
>>
>> Jean
>>
>> On 2020-01-28 11:31, Octolus Development wrote:
>>> I have tried numerous of times to reach out to Imperva.
>>>
>>> Imperva said Sony have to contact them & said they cannot help me
>>> because I am not a customer of theirs.
>>> Something Sony will not do. Sony simply stopped responding my emails
>>> after some time.
>>>
>>> But yes you are right.
>>>
>>> My IP's are being spoofed, spoofing SYN requests to hundreds of
>>> thousands of web servers. Which then results in a blacklist, that
>>> Imperva uses.. which prevents me and my clients from accessing
>>> Sony's services.. because they use Imperva.
>>>>
>>>> On 28.01.2020 17:29:12, Tom Beecher <beecher at beecher.cc> wrote:
>>>>
>>>> Trying to summarize here, this convo has been a bit disjointed.
>>>>
>>>> Is this an accurate summary?
>>>>
>>>> - The malicious traffic with spoofed sources is targeting multiple
>>>> different destinations.
>>>> - The aggregate of all those flows is causing Impervia to flag your
>>>> IP range as a bad actor.
>>>> - Sony uses Impervia blacklists, and since Impervia has flagged
>>>> your space as bad, Sony is blocking you.
>>>>
>>>> If that is true, my advice would be to go right to Impervia.
>>>> Explain the situation, and ask for their assistance in identifying
>>>> and or/reaching out to the networks that they are detecting this
>>>> spoofed traffic coming from. The backscatter, as Jared said
>>>> earlier, could probably help you a bit too, but Impervia should be
>>>> willing to assist. It's in their best interests to not have false
>>>> positives, but who knows.
>>>>
>>>> On Tue, Jan 28, 2020 at 6:17 AM Octolus Development
>>>> <admin at octolus.net <mailto:admin at octolus.net>> wrote:
>>>>
>>>> The problem is that they are spoofing our IP, to millions of
>>>> IP's running port 80.
>>>> Making upstream providers filter it is quite difficult, i don't
>>>> know all the upstream providers are used.
>>>>
>>>> The main problem is honestly services that reports SYN_RECV as
>>>> Port Flood, but there isn't much one can do about misconfigured
>>>> firewalls.I am sure there is a decent amount of honeypots on
>>>> the internet acting the same way, resulting us (the victims of
>>>> the attack) getting blacklisted for 'sending' attacks.
>>>>>
>>>>> On 28.01.2020 05:50:14, "Dobbins, Roland"
>>>>> <roland.dobbins at netscout.com
>>>>> <mailto:roland.dobbins at netscout.com>> wrote:
>>>>>
>>>>>
>>>>>
>>>>>> On Jan 28, 2020, at 11:40, Dobbins, Roland
>>>>>> <Roland.Dobbins at netscout.com
>>>>>> <mailto:Roland.Dobbins at netscout.com>> wrote:
>>>>>>
>>>>>> And even if his network weren't on the receiving end of a
>>>>>> reflection/amplification attack, OP could still see
>>>>>> backscatter, as Jared indicated.
>>>>>
>>>>> In point of fact, if the traffic was low-volume, this might in
>>>>> fact be what he was seeing.
>>>>>
>>>>> --------------------------------------------
>>>>>
>>>>> Roland Dobbins <roland.dobbins at netscout.com
>>>>> <mailto:roland.dobbins at netscout.com>>
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200130/63c80058/attachment.html>
More information about the NANOG
mailing list