<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta content="text/html;charset=UTF-8" http-equiv="Content-Type"></head><body ><div style='font-size:10pt;font-family:Verdana,Arial,Helvetica,sans-serif;'><div id="message"></div>Not blocking them will drain my outgoing bandwidth.<br id="br3"><br id="br3"><br id="br3"><div id="signature"></div><div id="content"><br> ---- On Wed, 29 Jan 2020 01:18:32 +0100 <b> damian@google.com </b> wrote ----<br><br><blockquote style="border-left: 1px solid rgb(204, 204, 204); padding-left: 6px; margin-left: 5px;"><div><div dir="ltr">I recommend you *not* block the outgoing RST packets, as blocking them will only make matters worse:<div> - it leaves the webservers being abused for reflection in the half-open SYN_RECV state, which may attract more attention (and blacklisting)</div><div> - retries from those servers will increase the load to your network</div><div><br></div><div>Damian</div></div><br><div class="x_1416841961gmail_quote"><div dir="ltr" class="x_1416841961gmail_attr">On Tue, Jan 28, 2020 at 1:42 PM Octolus Development <<a href="mailto:admin@octolus.net" target="_blank">admin@octolus.net</a>> wrote:<br></div><blockquote class="x_1416841961gmail_quote" style="margin: 0.0px 0.0px 0.0px 0.8ex;border-left: 1.0px solid rgb(204,204,204);padding-left: 1.0ex;"><div><div id="x_1416841961gmail-m_2970829677229915837__MailbirdStyleContent" style="font-size: 10.0pt;font-family: Arial;color: rgb(0,0,0);">
Yes, my server would then respond with RST.<div><br></div><div>Screenshot: <a href="https://i.imgur.com/ZVti2yY.png" target="_blank">https://i.imgur.com/ZVti2yY.png</a></div><div><br></div><div>We've blocked outgoing RST, 136.244.67.19 was our test server.</div><div><br></div><div>But even if the ip is not even exposed to the internet, services will blacklist us. Even if we don't respond, and block every request from the internet incoming & outgoing.</div><div></div><blockquote style="border-left-style: solid;border-width: 1.0px;margin-top: 20.0px;margin-left: 0.0px;padding-left: 10.0px;">
<p style="color: rgb(170,170,170);margin-top: 10.0px;">On 28.01.2020 22:36:18, "Jean | <a href="http://ddostest.me" target="_blank">ddostest.me</a> via NANOG" <<a href="mailto:nanog@nanog.org" target="_blank">nanog@nanog.org</a>> wrote:</p><div style="font-family: Arial, Helvetica, sans-serif;">
<p>But you do receive the SYN/ACK?</p>
<p>The way to open a TCP socket is the 3 way handshake. Sorry to
write that here... I feel it's useless.</p>
<p>1. SYN</p>
<p>2. SYN/ACK</p>
<p>3. ACK<br>
</p>
<p>Step 1: So hackers spoof the original SYN with your source IP of
your network.<br>
</p>
<p>Step 2: You should then receive those SYN/ACK packets with your
network as the dst ip and SONY as the src ip. Can you catch a few
and post the TCP flags that you see please? (This is step 2) </p>
<p>You don't need sony or imperva for that. Just a sniffer at the
right place in your network. You won't block anything, but we
should see something very interesting that will help you fix
this.<br>
</p>
<p>If it is happening like you are describing, you should see those
packets and you should be able to capture them.<br>
</p>
<p>No worries if you can't. <br>
</p>
<p>Jean<br>
</p>
<div>On 2020-01-28 11:31, Octolus
Development wrote:<br>
</div>
<blockquote>
<div id="x_1416841961gmail-m_2970829677229915837__MailbirdStyleContent" style="font-size: 10.0pt;font-family: Arial;color: rgb(0,0,0);"> I have tried numerous
of times to reach out to Imperva.
<div><br>
</div>
<div>Imperva said Sony have to contact them & said they
cannot help me because I am not a customer of theirs.</div>
<div>Something Sony will not do. Sony simply stopped responding
my emails after some time.</div>
<div><br>
</div>
<div>But yes you are right.</div>
<div><br>
</div>
<div>My IP's are being spoofed, spoofing SYN requests to
hundreds of thousands of web servers. Which then results in a
blacklist, that Imperva uses.. which prevents me and my
clients from accessing Sony's services.. because they use
Imperva.</div>
<blockquote style="border-left-style: solid;border-width: 1.0px;margin-top: 20.0px;margin-left: 0.0px;padding-left: 10.0px;">
<p style="color: rgb(170,170,170);margin-top: 10.0px;">On 28.01.2020
17:29:12, Tom Beecher <a href="mailto:beecher@beecher.cc" target="_blank"><beecher@beecher.cc></a> wrote:</p>
<div style="font-family: Arial, Helvetica, sans-serif;">
<div dir="ltr">Trying to summarize here, this convo has been
a bit disjointed.
<div><br>
</div>
<div>Is this an accurate summary?</div>
<div><br>
</div>
<div>- The malicious traffic with spoofed sources is
targeting multiple different destinations.</div>
<div>- The aggregate of all those flows is causing
Impervia to flag your IP range as a bad actor. </div>
<div>- Sony uses Impervia blacklists, and since Impervia
has flagged your space as bad, Sony is blocking you. </div>
<div><br>
</div>
<div>If that is true, my advice would be to go right to
Impervia. Explain the situation, and ask for their
assistance in identifying and or/reaching out to the
networks that they are detecting this spoofed traffic
coming from. The backscatter, as Jared said earlier,
could probably help you a bit too, but Impervia should
be willing to assist. It's in their best interests to
not have false positives, but who knows. </div>
</div>
<br>
<div class="x_1416841961gmail_quote">
<div dir="ltr" class="x_1416841961gmail_attr">On Tue, Jan 28, 2020 at
6:17 AM Octolus Development <<a href="mailto:admin@octolus.net" target="_blank">admin@octolus.net</a>>
wrote:<br>
</div>
<blockquote class="x_1416841961gmail_quote" style="margin: 0.0px 0.0px 0.0px 0.8ex;border-left: 1.0px solid rgb(204,204,204);padding-left: 1.0ex;">
<div>
<div id="x_1416841961gmail-m_2970829677229915837gmail-m_1507539394593624687__MailbirdStyleContent" style="font-size: 10.0pt;font-family: Arial;color: rgb(0,0,0);"> The problem is that they are spoofing
our IP, to millions of IP's running port 80.
<div>Making upstream providers filter it is quite
difficult, i don't know all the upstream providers
are used. </div>
<div><br>
</div>
<div>The main problem is honestly services that
reports SYN_RECV as Port Flood, but there isn't
much one can do about misconfigured firewalls.I am
sure there is a decent amount of honeypots on the
internet acting the same way, resulting us (the
victims of the attack) getting blacklisted for
'sending' attacks.</div>
<blockquote style="border-left-style: solid;border-width: 1.0px;margin-top: 20.0px;margin-left: 0.0px;padding-left: 10.0px;">
<p style="color: rgb(170,170,170);margin-top: 10.0px;">On
28.01.2020 05:50:14, "Dobbins, Roland" <<a href="mailto:roland.dobbins@netscout.com" target="_blank">roland.dobbins@netscout.com</a>>
wrote:</p>
<div style="font-family: Arial, Helvetica, sans-serif;">
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
<blockquote>On Jan 28, 2020, at
11:40, Dobbins, Roland <<a href="mailto:Roland.Dobbins@netscout.com" target="_blank">Roland.Dobbins@netscout.com</a>>
wrote:<br>
<br>
</blockquote>
</div>
<blockquote>
<div dir="ltr">And even if his network weren't
on the receiving end of a
reflection/amplification attack, OP could
still see backscatter, as Jared indicated. </div>
</blockquote>
<br>
<div>In point of fact, if the traffic was
low-volume, this might in fact be what he was
seeing. </div>
<div><br>
</div>
<div>
<p style="margin: 0.0px;font-stretch: normal;font-size: 17.4px;line-height: normal;color: rgb(69,69,69);">
<span style="font-size: 17.41pt;">--------------------------------------------</span></p>
<p style="margin: 0.0px;font-stretch: normal;font-size: 17.4px;line-height: normal;color: rgb(69,69,69);">
<span style="font-size: 17.41pt;">Roland
Dobbins <<a href="mailto:roland.dobbins@netscout.com" target="_blank">roland.dobbins@netscout.com</a>></span></p>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div></blockquote>
</div></div></blockquote></div>
</div></blockquote></div></div><br></body></html>