nanog mailing list archives

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC


From: Tom Beecher <beecher () beecher cc>
Date: Tue, 28 Jan 2020 11:28:55 -0500

Trying to summarize here, this convo has been a bit disjointed.

Is this an accurate summary?

- The malicious traffic with spoofed sources is targeting multiple
different destinations.
- The aggregate of all those flows is causing Impervia to flag your IP
range as a bad actor.
- Sony uses Impervia blacklists, and since Impervia has flagged your space
as bad, Sony is blocking you.

If that is true, my advice would be to go right to Impervia. Explain the
situation, and ask for their assistance in identifying and or/reaching out
to the networks that they are detecting this spoofed traffic coming from.
The backscatter, as Jared said earlier, could probably help you a bit too,
but Impervia should be willing to assist. It's in their best interests to
not have false positives, but who knows.

On Tue, Jan 28, 2020 at 6:17 AM Octolus Development <admin () octolus net>
wrote:

The problem is that they are spoofing our IP, to millions of IP's running
port 80.
Making upstream providers filter it is quite difficult, i don't know all
the upstream providers are used.

The main problem is honestly services that reports SYN_RECV as Port Flood,
but there isn't much one can do about misconfigured firewalls.I am sure
there is a decent amount of honeypots on the internet acting the same way,
resulting us (the victims of the attack) getting blacklisted for 'sending'
attacks.

On 28.01.2020 05:50:14, "Dobbins, Roland" <roland.dobbins () netscout com>
wrote:


On Jan 28, 2020, at 11:40, Dobbins, Roland <Roland.Dobbins () netscout com>
wrote:

And even if his network weren't on the receiving end of a
reflection/amplification attack, OP could still see backscatter, as Jared
indicated.


In point of fact, if the traffic was low-volume, this might in fact be
what he was seeing.

--------------------------------------------

Roland Dobbins <roland.dobbins () netscout com>



Current thread: