<div dir="ltr">You're getting hit with something reported as "TCP-AMP" (I'm assuming TCP amplification; not sure what's classifying this for you) on your IP address, and then shortly thereafter that IP address is blocked from Imperva's services? Are the source IP addresses in those "TCP-AMP" attacks Sony IP addresses? That does start to sound like someone is bouncing TCP off of you (send you a SYN with spoofed Sony source IP address; have your devices respond with TCP SYN+ACK). It would still be unwise of Imperva to flag the address, but that could be the mechanism here, perhaps?<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><font face="monospace"><br></font></div><div dir="ltr"><font face="monospace">-- </font></div><div dir="ltr"><font face="monospace">Hugo Slabbert | email, xmpp/jabber: <a href="mailto:hugo@slabnet.com" target="_blank">hugo@slabnet.com</a></font></div><div dir="ltr"><font face="monospace">pgp key: B178313E | also on Signal</font></div></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 8, 2020 at 1:06 PM Octolus Development <<a href="mailto:admin@octolus.net">admin@octolus.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div id="gmail-m_6248871362729317378__MailbirdStyleContent" style="font-size:10pt;font-family:Arial;color:rgb(0,0,0)">
<div style="font-size:13.3333px">The thing is.</div><div style="font-size:13.3333px"><br></div><div style="font-size:13.3333px">I can buy a brand new IP.</div><div style="font-size:13.3333px">It works fine on the websites.</div><div style="font-size:13.3333px"><br></div><div style="font-size:13.3333px">The moment it's hit by a DDoS Attack (TCP-AMP) .. Only 24-48 hours later, it's banned from all Inculpsa's aka Imperva's websites :) so something is horrible done wrong on their end and they're not interested in helping.. neither is Sony.</div><div></div><blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-top:20px;margin-left:0px;padding-left:10px">
<p style="color:rgb(170,170,170);margin-top:10px">On 08.01.2020 20:26:14, Lukas Tribus <<a href="mailto:lists@ltri.eu" target="_blank">lists@ltri.eu</a>> wrote:</p><div style="font-family:Arial,Helvetica,sans-serif">Hello,
<br>
<br>
<br>On Wed, 8 Jan 2020 at 18:26, Octolus Development <u></u> wrote:
<br>>
<br>> The error it displays on both Sony, and Imperva (and whatever websites who uses their protection). So this problem is not with Sony, but rather Imperva blocking IP's wildly.
<br>>
<br>> The IP's are not blocks, it's a single IP and the block/blacklist lifts after 7 days.
<br>>
<br>> Error that appears on those websites, including imperva themself:
<br>> This page can't be displayed. Contact support for additional information.
<br>> The incident ID is: N/A.
<br>
<br>That looks like a WAF, so reflection/spoofing is probably *not* the
<br>reason your IPs ended up on those lists.
<br>
<br>I assume what you see looks similar to what this returns (a request
<br>that looks like a sql injection):
<br>
<br><a href="https://www.imperva.com/bla%20OR%201=1" target="_blank">https://www.imperva.com/bla%20OR%201=1</a>
<br>
<br>
<br>A few of those hits, or crossing a certain threshold per IP (very easy
<br>for CGN IPs), and your IP probably ends up on those lists I guess. And
<br>of course those endpoints are not IPv6 enabled, so behind CGN the end
<br>customers shares his luck with it's neighbors even if everything is
<br>IPv6 enabled.
<br>
<br>
<br>Imperva, is that the "cybersecurity firm" that was breached 6 months ago?
<br>
<br><a href="https://krebsonsecurity.com/2019/08/cybersecurity-firm-imperva-discloses-breach/" target="_blank">https://krebsonsecurity.com/2019/08/cybersecurity-firm-imperva-discloses-breach/</a>
<br>
<br>
<br>
<br>Lukas
<br><u></u></div></blockquote>
</div></div></blockquote></div>