Re: TCP-AMP DDoS Attack - Fake abuse reports problem

[Denys Fedoryshchenko <nuclearcat () nuclearcat com>]

Good luck responding to such SYN/ACK, when you get 10+Gbps of them (real 
case happened while ago with colleague).
Sure those SYN/ACK are not from single location, and attackers might use 
whole /24 for SYN spoofing.

On 2020-02-21 03:34, Amir Herzberg wrote:
> If I read your description correctly:
>
> - Attacker sends spoofed TCP SYN from your IP address(es) and
> different src ports, to some TCP servers (e.g. port 80)
> - TCP servers respond with SYN/ACK  ; many servers resend the SYN/ACK
> hence amplification .
> - *** your system does not respond ***
> - Servers may think you're doing SYN-Flood against them, since
> connection remains in SYN_RCVD, and hence complain. In fact, we don't
> really know what is the goal of the attackers; they may in fact be
> trying to do SYN-Flood against these servers, and you're just a
> secondary victim and not the even the target, that's also possible.
>
> Anyway, is this the case?
>
> If it is... may I ask, do you (or why don't you) respond to the
> unsolicited SYN/ACK with RST as per the RFC?
>
> I suspect you don't, maybe due to these packets being dropped by
> FW/NAT, that's quite common. But as you should understand by now from
> my text, this (non-standard) behavior is NOT recommended. The problem
> may disappear if you reconfigure your FW/NAT (or host) to respond with
> RST to unsolicited SYN/ACK.
>
> As I explained above, if my conjectures are true, then OVH as well as
> the remote servers may have a valid reason to consider you either as
> the attacker or as an (unknowning, perhaps) accomplice.
>
> I may be wrong - sorry if so - and would appreciate, in any case, if
> you can confirm or clarify, thanks.
>
> --
> Amir Herzberg
>
> Comcast professor of Security Innovations, University of Connecticut
>
> Homepage: https://sites.google.com/site/amirherzberg/home
>
> Foundations of Cyber-Security (part I: applied crypto, part II:
> network-security):
> https://www.researchgate.net/project/Foundations-of-Cyber-Security
>
> On Thu, Feb 20, 2020 at 5:23 PM Octolus Development
> <admin () octolus net> wrote:
>
> > A very old attack method called TCP-AMP (
> > https://pastebin.com/jYhWdgHn ) has been getting really popular
> > recently.
> >
> > I've been a victim of it multiple times on many of my IP's and every
> > time it happens - My IP's end up getting blacklisted in major big
> > databases. We also receive tons of abuse reports for "Port
> > Scanning".
> >
> > Example of the reports we're getting:
> >
> > tcp: 51.81.XX.XX:19342 -> 209.208.XX.XX:80 (SYN_RECV)
> > tcp: 51.81.XX.XX:14066 -> 209.208.XX.XX:80 (SYN_RECV)
> >
> > OVH are threatening to kick us off their network, because we are
> > victims of this attack. And requesting us to do something about it,
> > despite the fact that there is nothing you can do when you are being
> > victim of an DDoS Attack.
> >
> > Anyone else had any problems with these kind of attacks?
> >
> > The attack basically works like this;
> > - The attacker scans the internet for TCP Services, i.e port 80.
> > - The attacker then sends spoofed requests from our IP to these TCP
> > Services, which makes the remote service attempt to connect to us to
> > initiate the handshake.. This clearly fails.
> > ... Which ends up with hundreds of request to these services,
> > reporting us for "port flood".