nanog mailing list archives
Re: TCP-AMP DDoS Attack - Fake abuse reports problem
From: Selphie Keller <selphie.keller () gmail com>
Date: Fri, 21 Feb 2020 04:24:48 -0700
Yeah this type of attack is a pain in the ass to deal with. Attacker is spoofing your IP addresses to millions of random web servers all over the Internet that see it as a typical SYN Flood those with automated reporting are likely blowing up OVH's abuse@ making a pain for them as well. However, OVH likely could easily check netflow or some other audit means to see your server didn't actually send out SYN packets to these servers. They likely are able to confirm the influx of inbound SYN-ACK packets that can be up to six depending on the TCP/IP stack of the server. The others are correct if you send out TCP Reset rejections you can tare down these bad states on the victim reflector's side to avoid getting retry SYN-ACK's. At this point I would consider whatever IP that you have that's getting attacked as burned, you're best bet is to drop those affected subnets and get new ones and avoid getting them exposed to whoever is attacking you. Spoofing issues has been the bane of any operator for years, till all the ASN's are on board with proper anti spoofing, ddos abuse of spoofing will be on-going and always an issue. On Thu, 20 Feb 2020 at 15:18, Octolus Development <admin () octolus net> wrote:
A very old attack method called TCP-AMP ( https://pastebin.com/jYhWdgHn ) has been getting really popular recently. I've been a victim of it multiple times on many of my IP's and every time it happens - My IP's end up getting blacklisted in major big databases. We also receive tons of abuse reports for "Port Scanning". Example of the reports we're getting: tcp: 51.81.XX.XX:19342 -> 209.208.XX.XX:80 (SYN_RECV) tcp: 51.81.XX.XX:14066 -> 209.208.XX.XX:80 (SYN_RECV) OVH are threatening to kick us off their network, because we are victims of this attack. And requesting us to do something about it, despite the fact that there is nothing you can do when you are being victim of an DDoS Attack. Anyone else had any problems with these kind of attacks? The attack basically works like this; - The attacker scans the internet for TCP Services, i.e port 80. - The attacker then sends spoofed requests from our IP to these TCP Services, which makes the remote service attempt to connect to us to initiate the handshake.. This clearly fails. ... Which ends up with hundreds of request to these services, reporting us for "port flood".
Current thread:
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem, (continued)
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem Filip Hruska (Feb 20)
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem Töma Gavrichenkov (Feb 20)
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem Jean | ddostest.me via NANOG (Feb 20)
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem Damian Menscher via NANOG (Feb 20)
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem Tom Beecher (Feb 21)
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem Bottiger (Feb 24)
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem Filip Hruska (Feb 20)
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem Damian Menscher via NANOG (Feb 20)
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem Amir Herzberg (Feb 21)
- Re: TCP-AMP DDoS Attack - Fake abuse reports problem Denys Fedoryshchenko (Feb 21)