nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

From: Hugo Slabbert <hugo () slabnet com>
Date: Wed, 8 Jan 2020 13:20:59 -0800
You're getting hit with something reported as "TCP-AMP" (I'm assuming TCP
amplification; not sure what's classifying this for you) on your IP
address, and then shortly thereafter that IP address is blocked from
Imperva's services?  Are the source IP addresses in those "TCP-AMP" attacks
Sony IP addresses?  That does start to sound like someone is bouncing TCP
off of you (send you a SYN with spoofed Sony source IP address; have your
devices respond with TCP SYN+ACK).  It would still be unwise of Imperva to
flag the address, but that could be the mechanism here, perhaps?

-- 
Hugo Slabbert       | email, xmpp/jabber: hugo () slabnet com
pgp key: B178313E   | also on Signal


On Wed, Jan 8, 2020 at 1:06 PM Octolus Development <admin () octolus net>
wrote:


The thing is.

I can buy a brand new IP.
It works fine on the websites.

The moment it's hit by a DDoS Attack (TCP-AMP) .. Only 24-48 hours later,
it's banned from all Inculpsa's aka Imperva's websites :) so something is
horrible done wrong on their end and they're not interested in helping..
neither is Sony.

On 08.01.2020 20:26:14, Lukas Tribus <lists () ltri eu> wrote:
Hello,


On Wed, 8 Jan 2020 at 18:26, Octolus Development wrote:


The error it displays on both Sony, and Imperva (and whatever websites

who uses their protection). So this problem is not with Sony, but rather
Imperva blocking IP's wildly.


The IP's are not blocks, it's a single IP and the block/blacklist lifts

after 7 days.


Error that appears on those websites, including imperva themself:
This page can't be displayed. Contact support for additional

information.

The incident ID is: N/A.


That looks like a WAF, so reflection/spoofing is probably *not* the
reason your IPs ended up on those lists.

I assume what you see looks similar to what this returns (a request
that looks like a sql injection):

https://www.imperva.com/bla%20OR%201=1


A few of those hits, or crossing a certain threshold per IP (very easy
for CGN IPs), and your IP probably ends up on those lists I guess. And
of course those endpoints are not IPv6 enabled, so behind CGN the end
customers shares his luck with it's neighbors even if everything is
IPv6 enabled.


Imperva, is that the "cybersecurity firm" that was breached 6 months ago?


https://krebsonsecurity.com/2019/08/cybersecurity-firm-imperva-discloses-breach/



Lukas
Previous By Date Next
Previous By Thread Next

Current thread: