<div dir="ltr">Trying to summarize here, this convo has been a bit disjointed. <div><br></div><div>Is this an accurate summary?</div><div><br></div><div>- The malicious traffic with spoofed sources is targeting multiple different destinations.</div><div>- The aggregate of all those flows is causing Impervia to flag your IP range as a bad actor. </div><div>- Sony uses Impervia blacklists, and since Impervia has flagged your space as bad, Sony is blocking you. </div><div><br></div><div>If that is true, my advice would be to go right to Impervia. Explain the situation, and ask for their assistance in identifying and or/reaching out to the networks that they are detecting this spoofed traffic coming from. The backscatter, as Jared said earlier, could probably help you a bit too, but Impervia should be willing to assist. It's in their best interests to not have false positives, but who knows. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 28, 2020 at 6:17 AM Octolus Development <<a href="mailto:admin@octolus.net">admin@octolus.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div id="gmail-m_1507539394593624687__MailbirdStyleContent" style="font-size:10pt;font-family:Arial;color:rgb(0,0,0)">
The problem is that they are spoofing our IP, to millions of IP's running port 80.<div>Making upstream providers filter it is quite difficult, i don't know all the upstream providers are used. </div><div><br></div><div>The main problem is honestly services that reports SYN_RECV as Port Flood, but there isn't much one can do about misconfigured firewalls.I am sure there is a decent amount of honeypots on the internet acting the same way, resulting us (the victims of the attack) getting blacklisted for 'sending' attacks.</div><div></div><blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-top:20px;margin-left:0px;padding-left:10px">
<p style="color:rgb(170,170,170);margin-top:10px">On 28.01.2020 05:50:14, "Dobbins, Roland" <<a href="mailto:roland.dobbins@netscout.com" target="_blank">roland.dobbins@netscout.com</a>> wrote:</p><div style="font-family:Arial,Helvetica,sans-serif">
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On Jan 28, 2020, at 11:40, Dobbins, Roland <<a href="mailto:Roland.Dobbins@netscout.com" target="_blank">Roland.Dobbins@netscout.com</a>> wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">And even if his network weren't on the receiving end of a reflection/amplification attack, OP could still see backscatter, as Jared indicated. </div>
</blockquote>
<br>
<div>In point of fact, if the traffic was low-volume, this might in fact be what he was seeing. </div>
<div><br>
</div>
<div>
<p style="margin:0px;font-stretch:normal;font-size:17.4px;line-height:normal;color:rgb(69,69,69)">
<span style="font-size:17.41pt">--------------------------------------------</span></p>
<p style="margin:0px;font-stretch:normal;font-size:17.4px;line-height:normal;color:rgb(69,69,69)">
<span style="font-size:17.41pt">Roland Dobbins <<a href="mailto:roland.dobbins@netscout.com" target="_blank">roland.dobbins@netscout.com</a>></span></p>
</div>
</div></blockquote>
</div></div></blockquote></div>