<div dir="ltr">I recommend you *not* block the outgoing RST packets, as blocking them will only make matters worse:<div> - it leaves the webservers being abused for reflection in the half-open SYN_RECV state, which may attract more attention (and blacklisting)</div><div> - retries from those servers will increase the load to your network</div><div><br></div><div>Damian</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 28, 2020 at 1:42 PM Octolus Development <<a href="mailto:admin@octolus.net">admin@octolus.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div id="gmail-m_2970829677229915837__MailbirdStyleContent" style="font-size:10pt;font-family:Arial;color:rgb(0,0,0)">
Yes, my server would then respond with RST.<div><br></div><div>Screenshot: <a href="https://i.imgur.com/ZVti2yY.png" target="_blank">https://i.imgur.com/ZVti2yY.png</a></div><div><br></div><div>We've blocked outgoing RST, 136.244.67.19 was our test server.</div><div><br></div><div>But even if the ip is not even exposed to the internet, services will blacklist us. Even if we don't respond, and block every request from the internet incoming & outgoing.</div><div></div><blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-top:20px;margin-left:0px;padding-left:10px">
<p style="color:rgb(170,170,170);margin-top:10px">On 28.01.2020 22:36:18, "Jean | <a href="http://ddostest.me" target="_blank">ddostest.me</a> via NANOG" <<a href="mailto:nanog@nanog.org" target="_blank">nanog@nanog.org</a>> wrote:</p><div style="font-family:Arial,Helvetica,sans-serif">
<p>But you do receive the SYN/ACK?</p>
<p>The way to open a TCP socket is the 3 way handshake. Sorry to
write that here... I feel it's useless.</p>
<p>1. SYN</p>
<p>2. SYN/ACK</p>
<p>3. ACK<br>
</p>
<p>Step 1: So hackers spoof the original SYN with your source IP of
your network.<br>
</p>
<p>Step 2: You should then receive those SYN/ACK packets with your
network as the dst ip and SONY as the src ip. Can you catch a few
and post the TCP flags that you see please? (This is step 2) </p>
<p>You don't need sony or imperva for that. Just a sniffer at the
right place in your network. You won't block anything, but we
should see something very interesting that will help you fix
this.<br>
</p>
<p>If it is happening like you are describing, you should see those
packets and you should be able to capture them.<br>
</p>
<p>No worries if you can't. <br>
</p>
<p>Jean<br>
</p>
<div>On 2020-01-28 11:31, Octolus
Development wrote:<br>
</div>
<blockquote type="cite">
<div id="gmail-m_2970829677229915837__MailbirdStyleContent" style="font-size:10pt;font-family:Arial;color:rgb(0,0,0)"> I have tried numerous
of times to reach out to Imperva.
<div><br>
</div>
<div>Imperva said Sony have to contact them & said they
cannot help me because I am not a customer of theirs.</div>
<div>Something Sony will not do. Sony simply stopped responding
my emails after some time.</div>
<div><br>
</div>
<div>But yes you are right.</div>
<div><br>
</div>
<div>My IP's are being spoofed, spoofing SYN requests to
hundreds of thousands of web servers. Which then results in a
blacklist, that Imperva uses.. which prevents me and my
clients from accessing Sony's services.. because they use
Imperva.</div>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-top:20px;margin-left:0px;padding-left:10px">
<p style="color:rgb(170,170,170);margin-top:10px">On 28.01.2020
17:29:12, Tom Beecher <a href="mailto:beecher@beecher.cc" target="_blank"><beecher@beecher.cc></a> wrote:</p>
<div style="font-family:Arial,Helvetica,sans-serif">
<div dir="ltr">Trying to summarize here, this convo has been
a bit disjointed.
<div><br>
</div>
<div>Is this an accurate summary?</div>
<div><br>
</div>
<div>- The malicious traffic with spoofed sources is
targeting multiple different destinations.</div>
<div>- The aggregate of all those flows is causing
Impervia to flag your IP range as a bad actor. </div>
<div>- Sony uses Impervia blacklists, and since Impervia
has flagged your space as bad, Sony is blocking you. </div>
<div><br>
</div>
<div>If that is true, my advice would be to go right to
Impervia. Explain the situation, and ask for their
assistance in identifying and or/reaching out to the
networks that they are detecting this spoofed traffic
coming from. The backscatter, as Jared said earlier,
could probably help you a bit too, but Impervia should
be willing to assist. It's in their best interests to
not have false positives, but who knows. </div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jan 28, 2020 at
6:17 AM Octolus Development <<a href="mailto:admin@octolus.net" target="_blank">admin@octolus.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div id="gmail-m_2970829677229915837gmail-m_1507539394593624687__MailbirdStyleContent" style="font-size:10pt;font-family:Arial;color:rgb(0,0,0)"> The problem is that they are spoofing
our IP, to millions of IP's running port 80.
<div>Making upstream providers filter it is quite
difficult, i don't know all the upstream providers
are used. </div>
<div><br>
</div>
<div>The main problem is honestly services that
reports SYN_RECV as Port Flood, but there isn't
much one can do about misconfigured firewalls.I am
sure there is a decent amount of honeypots on the
internet acting the same way, resulting us (the
victims of the attack) getting blacklisted for
'sending' attacks.</div>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-top:20px;margin-left:0px;padding-left:10px">
<p style="color:rgb(170,170,170);margin-top:10px">On
28.01.2020 05:50:14, "Dobbins, Roland" <<a href="mailto:roland.dobbins@netscout.com" target="_blank">roland.dobbins@netscout.com</a>>
wrote:</p>
<div style="font-family:Arial,Helvetica,sans-serif">
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On Jan 28, 2020, at
11:40, Dobbins, Roland <<a href="mailto:Roland.Dobbins@netscout.com" target="_blank">Roland.Dobbins@netscout.com</a>>
wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">And even if his network weren't
on the receiving end of a
reflection/amplification attack, OP could
still see backscatter, as Jared indicated. </div>
</blockquote>
<br>
<div>In point of fact, if the traffic was
low-volume, this might in fact be what he was
seeing. </div>
<div><br>
</div>
<div>
<p style="margin:0px;font-stretch:normal;font-size:17.4px;line-height:normal;color:rgb(69,69,69)">
<span style="font-size:17.41pt">--------------------------------------------</span></p>
<p style="margin:0px;font-stretch:normal;font-size:17.4px;line-height:normal;color:rgb(69,69,69)">
<span style="font-size:17.41pt">Roland
Dobbins <<a href="mailto:roland.dobbins@netscout.com" target="_blank">roland.dobbins@netscout.com</a>></span></p>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div></blockquote>
</div></div></blockquote></div>