<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I'm a bit confused as I thought it was the other way around. <br>
</p>
<p>No big deal though. So these SYN don't have options which is not
normal today. It was in the previous millenium. You should see
more options. <br>
</p>
<p>What you can do is filter SYN based on packet length. 54 bytes is
your signature here. The hacker is using hping3 or some basic
rudimentary tools. <br>
</p>
<p>Cheers</p>
<p>Jean<br>
</p>
<div class="moz-cite-prefix">On 2020-01-28 16:41, Octolus
Development wrote:<br>
</div>
<blockquote type="cite"
cite="mid:Mailbird-d357a634-a9f7-47d3-a773-be2f271307f3@octolus.net">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div id="__MailbirdStyleContent" style="font-size:
10pt;font-family: Arial;color: #000000"> Yes, my server would
then respond with RST.
<div><br>
</div>
<div>Screenshot: <a class="moz-txt-link-freetext" href="https://i.imgur.com/ZVti2yY.png">https://i.imgur.com/ZVti2yY.png</a></div>
<div><br>
</div>
<div>We've blocked outgoing RST, 136.244.67.19 was our test
server.</div>
<div><br>
</div>
<div>But even if the ip is not even exposed to the internet,
services will blacklist us. Even if we don't respond, and
block every request from the internet incoming & outgoing.</div>
<blockquote class="history_container" type="cite"
style="border-left-style:solid;border-width:1px;
margin-top:20px; margin-left:0px;padding-left:10px;">
<p style="color: #AAAAAA; margin-top: 10px;">On 28.01.2020
22:36:18, "Jean | ddostest.me via NANOG"
<a class="moz-txt-link-rfc2396E" href="mailto:nanog@nanog.org"><nanog@nanog.org></a> wrote:</p>
<div style="font-family:Arial,Helvetica,sans-serif">
<p>But you do receive the SYN/ACK?</p>
<p>The way to open a TCP socket is the 3 way handshake.
Sorry to write that here... I feel it's useless.</p>
<p>1. SYN</p>
<p>2. SYN/ACK</p>
<p>3. ACK<br>
</p>
<p>Step 1: So hackers spoof the original SYN with your
source IP of your network.<br>
</p>
<p>Step 2: You should then receive those SYN/ACK packets
with your network as the dst ip and SONY as the src ip.
Can you catch a few and post the TCP flags that you see
please? (This is step 2) </p>
<p>You don't need sony or imperva for that. Just a sniffer
at the right place in your network. You won't block
anything, but we should see something very interesting
that will help you fix this.<br>
</p>
<p>If it is happening like you are describing, you should
see those packets and you should be able to capture them.<br>
</p>
<p>No worries if you can't. <br>
</p>
<p>Jean<br>
</p>
<div class="moz-cite-prefix">On 2020-01-28 11:31, Octolus
Development wrote:<br>
</div>
<blockquote type="cite"
cite="mid:Mailbird-2659339f-eb77-4bd1-b735-86ea60efac6c@octolus.net">
<div id="__MailbirdStyleContent" style="font-size:
10pt;font-family: Arial;color: #000000"> I have tried
numerous of times to reach out to Imperva.
<div><br>
</div>
<div>Imperva said Sony have to contact them & said
they cannot help me because I am not a customer of
theirs.</div>
<div>Something Sony will not do. Sony simply stopped
responding my emails after some time.</div>
<div><br>
</div>
<div>But yes you are right.</div>
<div><br>
</div>
<div>My IP's are being spoofed, spoofing SYN requests to
hundreds of thousands of web servers. Which then
results in a blacklist, that Imperva uses.. which
prevents me and my clients from accessing Sony's
services.. because they use Imperva.</div>
<blockquote class="history_container" type="cite"
style="border-left-style:solid;border-width:1px;
margin-top:20px; margin-left:0px;padding-left:10px;">
<p style="color: #AAAAAA; margin-top: 10px;">On
28.01.2020 17:29:12, Tom Beecher <a
class="moz-txt-link-rfc2396E"
href="mailto:beecher@beecher.cc"
moz-do-not-send="true"><beecher@beecher.cc></a>
wrote:</p>
<div style="font-family:Arial,Helvetica,sans-serif">
<div dir="ltr">Trying to summarize here, this convo
has been a bit disjointed.
<div><br>
</div>
<div>Is this an accurate summary?</div>
<div><br>
</div>
<div>- The malicious traffic with spoofed sources
is targeting multiple different destinations.</div>
<div>- The aggregate of all those flows is causing
Impervia to flag your IP range as a bad actor. </div>
<div>- Sony uses Impervia blacklists, and since
Impervia has flagged your space as bad, Sony is
blocking you. </div>
<div><br>
</div>
<div>If that is true, my advice would be to go
right to Impervia. Explain the situation, and
ask for their assistance in identifying and
or/reaching out to the networks that they are
detecting this spoofed traffic coming from. The
backscatter, as Jared said earlier, could
probably help you a bit too, but Impervia should
be willing to assist. It's in their best
interests to not have false positives, but who
knows. </div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jan 28,
2020 at 6:17 AM Octolus Development <<a
href="mailto:admin@octolus.net"
moz-do-not-send="true">admin@octolus.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<div
id="gmail-m_1507539394593624687__MailbirdStyleContent"
style="font-size: 10pt;font-family:
Arial;color: rgb(0,0,0)"> The problem is
that they are spoofing our IP, to millions
of IP's running port 80.
<div>Making upstream providers filter it is
quite difficult, i don't know all the
upstream providers are used. </div>
<div><br>
</div>
<div>The main problem is honestly services
that reports SYN_RECV as Port Flood, but
there isn't much one can do about
misconfigured firewalls.I am sure there is
a decent amount of honeypots on the
internet acting the same way, resulting us
(the victims of the attack) getting
blacklisted for 'sending' attacks.</div>
<blockquote type="cite"
style="border-left-style:solid;border-width:1px;margin-top:20px;margin-left:0px;padding-left:10px">
<p
style="color:rgb(170,170,170);margin-top:10px">On
28.01.2020 05:50:14, "Dobbins, Roland"
<<a
href="mailto:roland.dobbins@netscout.com"
target="_blank" moz-do-not-send="true">roland.dobbins@netscout.com</a>>
wrote:</p>
<div
style="font-family:Arial,Helvetica,sans-serif">
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On Jan 28,
2020, at 11:40, Dobbins, Roland <<a
href="mailto:Roland.Dobbins@netscout.com" target="_blank"
moz-do-not-send="true">Roland.Dobbins@netscout.com</a>>
wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">And even if his network
weren't on the receiving end of a
reflection/amplification attack, OP
could still see backscatter, as
Jared indicated. </div>
</blockquote>
<br>
<div>In point of fact, if the traffic
was low-volume, this might in fact be
what he was seeing. </div>
<div><br>
</div>
<div>
<p style="margin: 0px;font-stretch:
normal;font-size:
17.4px;line-height: normal;color:
rgb(69,69,69)"> <span
style="font-size: 17.41pt">--------------------------------------------</span></p>
<p style="margin: 0px;font-stretch:
normal;font-size:
17.4px;line-height: normal;color:
rgb(69,69,69)"> <span
style="font-size: 17.41pt">Roland
Dobbins <<a
href="mailto:roland.dobbins@netscout.com"
target="_blank"
moz-do-not-send="true">roland.dobbins@netscout.com</a>></span></p>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>