Re: TCP-AMP DDoS Attack - Fake abuse reports problem

[Amir Herzberg <amir.lists () gmail com>]

If I read your description correctly:

- Attacker sends spoofed TCP SYN from your IP address(es) and different src
ports, to some TCP servers (e.g. port 80)
- TCP servers respond with SYN/ACK  ; many servers resend the SYN/ACK hence
amplification .
- *** your system does not respond ***
- Servers may think you're doing SYN-Flood against them, since connection
remains in SYN_RCVD, and hence complain. In fact, we don't really know what
is the goal of the attackers; they may in fact be trying to do SYN-Flood
against these servers, and you're just a secondary victim and not the even
the target, that's also possible.

Anyway, is this the case?

If it is... may I ask, do you (or why don't you) respond to the unsolicited
SYN/ACK with RST as per the RFC?

I suspect you don't, maybe due to these packets being dropped by FW/NAT,
that's quite common. But as you should understand by now from my text, this
(non-standard) behavior is NOT recommended. The problem may disappear if
you reconfigure your FW/NAT (or host) to respond with RST to unsolicited
SYN/ACK.

As I explained above, if my conjectures are true, then OVH as well as the
remote servers may have a valid reason to consider you either as the
attacker or as an (unknowning, perhaps) accomplice.

I may be wrong - sorry if so - and would appreciate, in any case, if you
can confirm or clarify, thanks.

-- 
Amir Herzberg

Comcast professor of Security Innovations, University of Connecticut

Homepage: https://sites.google.com/site/amirherzberg/home

Foundations of Cyber-Security (part I: applied crypto, part II:
network-security):
https://www.researchgate.net/project/Foundations-of-Cyber-Security



On Thu, Feb 20, 2020 at 5:23 PM Octolus Development <admin () octolus net>
wrote:

> A very old attack method called TCP-AMP ( https://pastebin.com/jYhWdgHn )
> has been getting really popular recently.
>
> I've been a victim of it multiple times on many of my IP's and every time
> it happens - My IP's end up getting blacklisted in major big databases. We
> also receive tons of abuse reports for "Port Scanning".
>
> Example of the reports we're getting:
> tcp: 51.81.XX.XX:19342 -> 209.208.XX.XX:80 (SYN_RECV)
> tcp: 51.81.XX.XX:14066 -> 209.208.XX.XX:80 (SYN_RECV)
>
> OVH are threatening to kick us off their network, because we are victims
> of this attack. And requesting us to do something about it, despite the
> fact that there is nothing you can do when you are being victim of an DDoS
> Attack.
>
> Anyone else had any problems with these kind of attacks?
>
> The attack basically works like this;
> - The attacker scans the internet for TCP Services, i.e port 80.
> - The attacker then sends spoofed requests from our IP to these TCP
> Services, which makes the remote service attempt to connect to us to
> initiate the handshake.. This clearly fails.
> ... Which ends up with hundreds of request to these services, reporting us
> for "port flood".