<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>But you do receive the SYN/ACK?</p>
<p>The way to open a TCP socket is the 3 way handshake. Sorry to
write that here... I feel it's useless.</p>
<p>1. SYN</p>
<p>2. SYN/ACK</p>
<p>3. ACK<br>
</p>
<p>Step 1: So hackers spoof the original SYN with your source IP of
your network.<br>
</p>
<p>Step 2: You should then receive those SYN/ACK packets with your
network as the dst ip and SONY as the src ip. Can you catch a few
and post the TCP flags that you see please? (This is step 2) </p>
<p>You don't need sony or imperva for that. Just a sniffer at the
right place in your network. You won't block anything, but we
should see something very interesting that will help you fix
this.<br>
</p>
<p>If it is happening like you are describing, you should see those
packets and you should be able to capture them.<br>
</p>
<p>No worries if you can't. <br>
</p>
<p>Jean<br>
</p>
<div class="moz-cite-prefix">On 2020-01-28 11:31, Octolus
Development wrote:<br>
</div>
<blockquote type="cite"
cite="mid:Mailbird-2659339f-eb77-4bd1-b735-86ea60efac6c@octolus.net">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div id="__MailbirdStyleContent" style="font-size:
10pt;font-family: Arial;color: #000000"> I have tried numerous
of times to reach out to Imperva.
<div><br>
</div>
<div>Imperva said Sony have to contact them & said they
cannot help me because I am not a customer of theirs.</div>
<div>Something Sony will not do. Sony simply stopped responding
my emails after some time.</div>
<div><br>
</div>
<div>But yes you are right.</div>
<div><br>
</div>
<div>My IP's are being spoofed, spoofing SYN requests to
hundreds of thousands of web servers. Which then results in a
blacklist, that Imperva uses.. which prevents me and my
clients from accessing Sony's services.. because they use
Imperva.</div>
<blockquote class="history_container" type="cite"
style="border-left-style:solid;border-width:1px;
margin-top:20px; margin-left:0px;padding-left:10px;">
<p style="color: #AAAAAA; margin-top: 10px;">On 28.01.2020
17:29:12, Tom Beecher <a class="moz-txt-link-rfc2396E" href="mailto:beecher@beecher.cc"><beecher@beecher.cc></a> wrote:</p>
<div style="font-family:Arial,Helvetica,sans-serif">
<div dir="ltr">Trying to summarize here, this convo has been
a bit disjointed.
<div><br>
</div>
<div>Is this an accurate summary?</div>
<div><br>
</div>
<div>- The malicious traffic with spoofed sources is
targeting multiple different destinations.</div>
<div>- The aggregate of all those flows is causing
Impervia to flag your IP range as a bad actor. </div>
<div>- Sony uses Impervia blacklists, and since Impervia
has flagged your space as bad, Sony is blocking you. </div>
<div><br>
</div>
<div>If that is true, my advice would be to go right to
Impervia. Explain the situation, and ask for their
assistance in identifying and or/reaching out to the
networks that they are detecting this spoofed traffic
coming from. The backscatter, as Jared said earlier,
could probably help you a bit too, but Impervia should
be willing to assist. It's in their best interests to
not have false positives, but who knows. </div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jan 28, 2020 at
6:17 AM Octolus Development <<a
href="mailto:admin@octolus.net" moz-do-not-send="true">admin@octolus.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<div
id="gmail-m_1507539394593624687__MailbirdStyleContent"
style="font-size: 10pt;font-family: Arial;color:
rgb(0,0,0)"> The problem is that they are spoofing
our IP, to millions of IP's running port 80.
<div>Making upstream providers filter it is quite
difficult, i don't know all the upstream providers
are used. </div>
<div><br>
</div>
<div>The main problem is honestly services that
reports SYN_RECV as Port Flood, but there isn't
much one can do about misconfigured firewalls.I am
sure there is a decent amount of honeypots on the
internet acting the same way, resulting us (the
victims of the attack) getting blacklisted for
'sending' attacks.</div>
<blockquote type="cite"
style="border-left-style:solid;border-width:1px;margin-top:20px;margin-left:0px;padding-left:10px">
<p style="color:rgb(170,170,170);margin-top:10px">On
28.01.2020 05:50:14, "Dobbins, Roland" <<a
href="mailto:roland.dobbins@netscout.com"
target="_blank" moz-do-not-send="true">roland.dobbins@netscout.com</a>>
wrote:</p>
<div
style="font-family:Arial,Helvetica,sans-serif">
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On Jan 28, 2020, at
11:40, Dobbins, Roland <<a
href="mailto:Roland.Dobbins@netscout.com"
target="_blank" moz-do-not-send="true">Roland.Dobbins@netscout.com</a>>
wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">And even if his network weren't
on the receiving end of a
reflection/amplification attack, OP could
still see backscatter, as Jared indicated. </div>
</blockquote>
<br>
<div>In point of fact, if the traffic was
low-volume, this might in fact be what he was
seeing. </div>
<div><br>
</div>
<div>
<p style="margin: 0px;font-stretch:
normal;font-size: 17.4px;line-height:
normal;color: rgb(69,69,69)">
<span style="font-size: 17.41pt">--------------------------------------------</span></p>
<p style="margin: 0px;font-stretch:
normal;font-size: 17.4px;line-height:
normal;color: rgb(69,69,69)">
<span style="font-size: 17.41pt">Roland
Dobbins <<a
href="mailto:roland.dobbins@netscout.com"
target="_blank" moz-do-not-send="true">roland.dobbins@netscout.com</a>></span></p>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>