Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

["Octolus Development" <admin () octolus net>]

It is impossible to find the true origin of where the spoofed attacks are coming from.

I don't have an exact timestamp, because the attacks are really difficult to see as well. As I said, you can block the 
IP from accessing internet completely. Yet, some services will flag our IP as "port flooding" their service - despite 
the fact it's fully spoofed.

We received multiple flags at OVH of port flooding.

This was one of the reports we got:
tcp: 51.81.119.7:30364 -> 209.208.32.250:80 (SYN_RECV)
tcp: 51.81.119.7:41535 -> 209.208.32.250:80 (SYN_RECV)
tcp: 51.81.119.7:1089 -> 209.208.32.250:80 (SYN_RECV)
tcp: 51.81.119.7:4433 -> 209.208.32.250:80 (SYN_RECV)

On 27.01.2020 21:29:11, Damian Menscher <damian () google com> wrote:
One approach would be to trace the true origin of the spoofed packets, and get it filtered by their upstream. To that 
end, can you share some details of a recent tcp-amp attack? Eg, the victim IP and a timestamp?

Damian

On Mon, Jan 27, 2020 at 12:06 PM Octolus Development <admin () octolus net [mailto:admin () octolus net]> wrote:

Hey everyone, decided to do a small update for those who are interested.

- Sony reached out to me, they whitelisted our IP's temporarily but then removed them. We have not heard from them 
since (10th January)
- We tracked down the cause of the blacklist, it is happening because we are a victim of a TCP-AMP DDoS Attack.

The TCP-AMP Attack works like this;
- The attacker spoofs our server's ip, to thousands of services running a web server on port 80.
- These web services, then respond back to our server - thinking we're the one that made a request.

It seems like hundreds of these web servers that are receiving those spoofed requests from our IP, runs CSF or some 
kind of firewall system that automatically detects many connections to their web server. And automatically reports it 
to multiple different services, which ends up in us getting blacklisted.

Imperva, which is what Sony uses are importing blacklists from multiple different trusted databases.. Which is how 
we're getting banned by Sony. Which uses Imperva on all their services, as their web firewall.

The solution? There isn't really any. We are the victim here, the attackers are spoofing attacks from our IP's - and 
the services that are reflecting back to us, are reporting us for "attacking" them even though the requests are fully 
spoofed.
On 10.01.2020 19:51:10, Mark Milhollan <mlm () pixelgate net [mailto:mlm () pixelgate net]> wrote:
On Fri, 10 Jan 2020, Octolus Development wrote:

> I run a VPN Business dedicated to protecting clients from DDoS Attacks
> that happens "all day long" on PlayStation Network. We need our VPN to
> work on PSN, all our customers uses their service.
>
> They are still investigating the problem, let's see what the results will be.

Does your VPN provide what Sony cares about, which I do not know but
might include things like only exiting CH customers via CH end-points /
proxies so that non-CH (e.g., UK) only content can be blocked -- if not
you may never gain traction with them and even if you do it might be
quite hard to prove to their satisfaction.


/mark