I recommend you *not* block the outgoing RST packets, as blocking them will only make matters worse: - it leaves the webservers being abused for reflection in the half-open SYN_RECV state, which may attract more attention (and blacklisting) - retries from those servers will increase the load to your network
Damian On Tue, Jan 28, 2020 at 1:42 PM Octolus Development <ad...@octolus.net> wrote: > Yes, my server would then respond with RST. > > Screenshot: https://i.imgur.com/ZVti2yY.png > > We've blocked outgoing RST, 136.244.67.19 was our test server. > > But even if the ip is not even exposed to the internet, services will > blacklist us. Even if we don't respond, and block every request from the > internet incoming & outgoing. > > On 28.01.2020 22:36:18, "Jean | ddostest.me via NANOG" <nanog@nanog.org> > wrote: > > But you do receive the SYN/ACK? > > The way to open a TCP socket is the 3 way handshake. Sorry to write that > here... I feel it's useless. > > 1. SYN > > 2. SYN/ACK > > 3. ACK > > Step 1: So hackers spoof the original SYN with your source IP of your > network. > > Step 2: You should then receive those SYN/ACK packets with your network as > the dst ip and SONY as the src ip. Can you catch a few and post the TCP > flags that you see please? (This is step 2) > > You don't need sony or imperva for that. Just a sniffer at the right place > in your network. You won't block anything, but we should see something > very interesting that will help you fix this. > > If it is happening like you are describing, you should see those packets > and you should be able to capture them. > > No worries if you can't. > > Jean > On 2020-01-28 11:31, Octolus Development wrote: > > I have tried numerous of times to reach out to Imperva. > > Imperva said Sony have to contact them & said they cannot help me because > I am not a customer of theirs. > Something Sony will not do. Sony simply stopped responding my emails after > some time. > > But yes you are right. > > My IP's are being spoofed, spoofing SYN requests to hundreds of thousands > of web servers. Which then results in a blacklist, that Imperva uses.. > which prevents me and my clients from accessing Sony's services.. because > they use Imperva. > > On 28.01.2020 17:29:12, Tom Beecher <beec...@beecher.cc> > <beec...@beecher.cc> wrote: > Trying to summarize here, this convo has been a bit disjointed. > > Is this an accurate summary? > > - The malicious traffic with spoofed sources is targeting multiple > different destinations. > - The aggregate of all those flows is causing Impervia to flag your IP > range as a bad actor. > - Sony uses Impervia blacklists, and since Impervia has flagged your space > as bad, Sony is blocking you. > > If that is true, my advice would be to go right to Impervia. Explain the > situation, and ask for their assistance in identifying and or/reaching out > to the networks that they are detecting this spoofed traffic coming from. > The backscatter, as Jared said earlier, could probably help you a bit too, > but Impervia should be willing to assist. It's in their best interests to > not have false positives, but who knows. > > On Tue, Jan 28, 2020 at 6:17 AM Octolus Development <ad...@octolus.net> > wrote: > >> The problem is that they are spoofing our IP, to millions of IP's running >> port 80. >> Making upstream providers filter it is quite difficult, i don't know all >> the upstream providers are used. >> >> The main problem is honestly services that reports SYN_RECV as Port >> Flood, but there isn't much one can do about misconfigured firewalls.I am >> sure there is a decent amount of honeypots on the internet acting the same >> way, resulting us (the victims of the attack) getting blacklisted for >> 'sending' attacks. >> >> On 28.01.2020 05:50:14, "Dobbins, Roland" <roland.dobb...@netscout.com> >> wrote: >> >> >> On Jan 28, 2020, at 11:40, Dobbins, Roland <roland.dobb...@netscout.com> >> wrote: >> >> And even if his network weren't on the receiving end of a >> reflection/amplification attack, OP could still see backscatter, as Jared >> indicated. >> >> >> In point of fact, if the traffic was low-volume, this might in fact be >> what he was seeing. >> >> -------------------------------------------- >> >> Roland Dobbins <roland.dobb...@netscout.com> >> >>
