nanog mailing list archives

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

From: Damian Menscher via NANOG <nanog () nanog org>
Date: Tue, 28 Jan 2020 16:18:32 -0800

I recommend you *not* block the outgoing RST packets, as blocking them will
only make matters worse:
  - it leaves the webservers being abused for reflection in the half-open
SYN_RECV state, which may attract more attention (and blacklisting)
  - retries from those servers will increase the load to your network

Damian

On Tue, Jan 28, 2020 at 1:42 PM Octolus Development <admin () octolus net>
wrote:

Yes, my server would then respond with RST.

Screenshot: https://i.imgur.com/ZVti2yY.png

We've blocked outgoing RST, 136.244.67.19 was our test server.

But even if the ip is not even exposed to the internet, services will
blacklist us. Even if we don't respond, and block every request from the
internet incoming & outgoing.

On 28.01.2020 22:36:18, "Jean | ddostest.me via NANOG" <nanog () nanog org>
wrote:

But you do receive the SYN/ACK?

The way to open a TCP socket is the 3 way handshake. Sorry to write that
here... I feel it's useless.

1. SYN

2. SYN/ACK

3. ACK

Step 1: So hackers spoof the original SYN with your source IP of your
network.

Step 2: You should then receive those SYN/ACK packets with your network as
the dst ip and SONY as the src ip. Can you catch a few and post the TCP
flags that you see please? (This is step 2)

You don't need sony or imperva for that. Just a sniffer at the right place
in your network. You won't block anything, but we should see something
very interesting that will help you fix this.

If it is happening like you  are describing, you should see those packets
and you should be able to capture them.

No worries if you can't.

Jean
On 2020-01-28 11:31, Octolus Development wrote:

I have tried numerous of times to reach out to Imperva.

Imperva said Sony have to contact them & said they cannot help me because
I am not a customer of theirs.
Something Sony will not do. Sony simply stopped responding my emails after
some time.

But yes you are right.

My IP's are being spoofed, spoofing SYN requests to hundreds of thousands
of web servers. Which then results in a blacklist, that Imperva uses..
which prevents me and my clients from accessing Sony's services.. because
they use Imperva.

On 28.01.2020 17:29:12, Tom Beecher <beecher () beecher cc>
<beecher () beecher cc> wrote:
Trying to summarize here, this convo has been a bit disjointed.

Is this an accurate summary?

- The malicious traffic with spoofed sources is targeting multiple
different destinations.
- The aggregate of all those flows is causing Impervia to flag your IP
range as a bad actor.
- Sony uses Impervia blacklists, and since Impervia has flagged your space
as bad, Sony is blocking you.

If that is true, my advice would be to go right to Impervia. Explain the
situation, and ask for their assistance in identifying and or/reaching out
to the networks that they are detecting this spoofed traffic coming from.
The backscatter, as Jared said earlier, could probably help you a bit too,
but Impervia should be willing to assist. It's in their best interests to
not have false positives, but who knows.

On Tue, Jan 28, 2020 at 6:17 AM Octolus Development <admin () octolus net>
wrote:

The problem is that they are spoofing our IP, to millions of IP's running
port 80.
Making upstream providers filter it is quite difficult, i don't know all
the upstream providers are used.

The main problem is honestly services that reports SYN_RECV as Port
Flood, but there isn't much one can do about misconfigured firewalls.I am
sure there is a decent amount of honeypots on the internet acting the same
way, resulting us (the victims of the attack) getting blacklisted for
'sending' attacks.

On 28.01.2020 05:50:14, "Dobbins, Roland" <roland.dobbins () netscout com>
wrote:


On Jan 28, 2020, at 11:40, Dobbins, Roland <Roland.Dobbins () netscout com>
wrote:

And even if his network weren't on the receiving end of a
reflection/amplification attack, OP could still see backscatter, as Jared
indicated.


In point of fact, if the traffic was low-volume, this might in fact be
what he was seeing.

--------------------------------------------

Roland Dobbins <roland.dobbins () netscout com>

Current thread:

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC, (continued)
- - - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Jared Mauch (Jan 27)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Dobbins, Roland (Jan 27)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Dobbins, Roland (Jan 27)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 28)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Dobbins, Roland (Jan 28)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Tom Beecher (Jan 28)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 28)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Jean | ddostest.me via NANOG (Jan 28)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 28)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Damian Menscher via NANOG (Jan 28)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC xanonyws (Jan 29)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Jean | ddostest.me via NANOG (Jan 30)
    - Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Dobbins, Roland (Jan 27)