nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

From: Damian Menscher via NANOG <nanog () nanog org>
Date: Mon, 27 Jan 2020 12:28:55 -0800
One approach would be to trace the true origin of the spoofed packets, and
get it filtered by their upstream.  To that end, can you share some details
of a recent tcp-amp attack?  Eg, the victim IP and a timestamp?

Damian

On Mon, Jan 27, 2020 at 12:06 PM Octolus Development <admin () octolus net>
wrote:


Hey everyone, decided to do a small update for those who are interested.

- Sony reached out to me, they whitelisted our IP's temporarily but then
removed them. We have not heard from them since (10th January)
- We tracked down the cause of the blacklist, it is happening because we
are a victim of a TCP-AMP DDoS Attack.

The TCP-AMP Attack works like this;
- The attacker spoofs our server's ip, to thousands of services running a
web server on port 80.
- These web services, then respond back to our server - thinking we're the
one that made a request.

It seems like hundreds of these web servers that are receiving those
spoofed requests from our IP, runs CSF or some kind of firewall system that
automatically detects many connections to their web server. And
automatically reports it to multiple different services, which ends up in
us getting blacklisted.

Imperva, which is what Sony uses are importing blacklists from multiple
different trusted databases.. Which is how we're getting banned by Sony.
Which uses Imperva on all their services, as their web firewall.

The solution? There isn't really any. We are the victim here, the
attackers are spoofing attacks from our IP's - and the services that are
reflecting back to us, are reporting us for "attacking" them even though
the requests are fully spoofed.

On 10.01.2020 19:51:10, Mark Milhollan <mlm () pixelgate net> wrote:
On Fri, 10 Jan 2020, Octolus Development wrote:


I run a VPN Business dedicated to protecting clients from DDoS Attacks
that happens "all day long" on PlayStation Network. We need our VPN to
work on PSN, all our customers uses their service.

They are still investigating the problem, let's see what the results will

be.

Does your VPN provide what Sony cares about, which I do not know but
might include things like only exiting CH customers via CH end-points /
proxies so that non-CH (e.g., UK) only content can be blocked -- if not
you may never gain traction with them and even if you do it might be
quite hard to prove to their satisfaction.


/mark
Previous By Date Next
Previous By Thread Next

Current thread: