I'm a bit confused as I thought it was the other way around.
No big deal though. So these SYN don't have options which is not normal
today. It was in the previous millenium. You should see more options.
What you can do is filter SYN based on packet length. 54 bytes is your
signature here. The
Not blocking them will drain my outgoing bandwidth.
On Wed, 29 Jan 2020 01:18:32 +0100 dam...@google.com wrote
I recommend you *not* block the outgoing RST packets, as blocking them will
only make matters worse:
- it leaves the webservers being abused for reflection in the half-o
I recommend you *not* block the outgoing RST packets, as blocking them will
only make matters worse:
- it leaves the webservers being abused for reflection in the half-open
SYN_RECV state, which may attract more attention (and blacklisting)
- retries from those servers will increase the load to
Yes, my server would then respond with RST.
Screenshot: https://i.imgur.com/ZVti2yY.png
We've blocked outgoing RST, 136.244.67.19 was our test server.
But even if the ip is not even exposed to the internet, services will blacklist
us. Even if we don't respond, and block every request from the i
But you do receive the SYN/ACK?
The way to open a TCP socket is the 3 way handshake. Sorry to write that
here... I feel it's useless.
1. SYN
2. SYN/ACK
3. ACK
Step 1: So hackers spoof the original SYN with your source IP of your
network.
Step 2: You should then receive those SYN/ACK pack
I have tried numerous of times to reach out to Imperva.
Imperva said Sony have to contact them & said they cannot help me because I am
not a customer of theirs.
Something Sony will not do. Sony simply stopped responding my emails after some
time.
But yes you are right.
My IP's are being spoofe
Trying to summarize here, this convo has been a bit disjointed.
Is this an accurate summary?
- The malicious traffic with spoofed sources is targeting multiple
different destinations.
- The aggregate of all those flows is causing Impervia to flag your IP
range as a bad actor.
- Sony uses Impervia
Maybe we're looking at the wrong place when dealing with TCP amp. I
believe there is a much easier way to solve this.
@OP: can you post the tcp flags of the SYN/CK you are receiving from Sony?
Thanks
Jean
On 2020-01-27 20:49, Damian Menscher via NANOG wrote:
On Mon, Jan 27, 2020 at 5:43 PM Tö
On 28 Jan 2020, at 18:15, Octolus Development wrote:
> The problem is that they are spoofing our IP, to millions of IP's
> running port 80.
So that does in fact sound like a TCP reflection/amplification attack.
If you have the relevant information, as it seems that you do, you can
ask operat
The problem is that they are spoofing our IP, to millions of IP's running port
80.
Making upstream providers filter it is quite difficult, i don't know all the
upstream providers are used.
The main problem is honestly services that reports SYN_RECV as Port Flood, but
there isn't much one can d
On Jan 28, 2020, at 11:40, Dobbins, Roland wrote:
And even if his network weren't on the receiving end of a
reflection/amplification attack, OP could still see backscatter, as Jared
indicated.
In point of fact, if the traffic was low-volume, this might in fact be what he
was seeing.
-
On Jan 28, 2020, at 07:39, Mike Hammett wrote:
If someone is being spoofed, they aren't receiving the spoofed packets. How are
they supposed to collect anything on the attack?
OP stated that *his own network* was being packeted with a TCP
reflection/amplification attack.
This means that if h
Peace,
On Tue, Jan 28, 2020, 4:49 AM Damian Menscher wrote:
> They don't need to filter by destination. Once a problem customer has
> been identified, they can apply an ACL restricting them to only originate
> IPs they own.
>
> [..]
>
there are ways around that, including public shaming (here)
On Mon, Jan 27, 2020 at 5:43 PM Töma Gavrichenkov wrote:
> On Tue, Jan 28, 2020, 4:32 AM Damian Menscher wrote:
>
>> On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov
>> wrote:
>>
>>> If this endpoint doesn't connect to anything outside of their network,
>>> then yes.
>>> If it does though, the
Peace,
On Tue, Jan 28, 2020, 4:42 AM Töma Gavrichenkov wrote:
> As for the detection of the real source, everything is technically
> possible but you need certain bargaining power which a medium-sized (at
> best) VPN service probably doesn't have.
>
...because if they *did* have some, they coul
-> Sony -> Real Octolus.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> From: "Roland Dobbins"
> To: "Octolus Development"
> Cc:
Peace,
On Tue, Jan 28, 2020, 4:32 AM Damian Menscher wrote:
> On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov
> wrote:
>
>> If this endpoint doesn't connect to anything outside of their network,
>> then yes.
>> If it does though, the design of the filter might become more complicated.
>>
>
>
On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov wrote:
> On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG
> wrote:
>
>> The victim already posted the signature to this thread:
>> - source IP: 51.81.119.7
>> - protocol: 6 (tcp)
>> - tcp_flags: 2 (syn)
>>
>> That alone is sufficient
Peace,
On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG
wrote:
> The victim already posted the signature to this thread:
> - source IP: 51.81.119.7
> - protocol: 6 (tcp)
> - tcp_flags: 2 (syn)
>
> That alone is sufficient for Level3/CenturyLink/etc to identify the source
> of this a
Peace,
On Tue, Jan 28, 2020, 3:43 AM Ben Cannon wrote:
> Transit carriers could work the flows backwards.
>
And if the stars align, some of them might even do that for you once even
though you are not their direct customer.
Next you're going to convince them to talk to the (probably abuse
resi
uot;Roland Dobbins" , "NANOG Operators'
> Group"
> *Sent: *Monday, January 27, 2020 6:40:25 PM
> *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
>
> Transit carriers could work the flows backwards.
>
> -Ben Cannon
> CEO 6x7 Networ
tt"
Cc: "Roland Dobbins" , "NANOG Operators' Group"
Sent: Monday, January 27, 2020 6:40:25 PM
Subject: Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
Transit carriers could work the flows backwards.
-Ben Cannon
CEO 6x7 Networks & 6x7 Tele
gt;
> Midwest-IX
> http://www.midwest-ix.com <http://www.midwest-ix.com/>
>
> From: "Roland Dobbins" <mailto:roland.dobb...@netscout.com>>
> To: "Octolus Development" mailto:ad...@octolus.net>>
> Cc: "Heather Schiller via NANOG" m
st-IX
http://www.midwest-ix.com
- Original Message -
From: "Roland Dobbins"
To: "Octolus Development"
Cc: "Heather Schiller via NANOG"
Sent: Monday, January 27, 2020 6:29:16 PM
Subject: Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
On Jan 28, 2020, at 04:12, Octolus Development wrote:
I don't have an exact timestamp, because the attacks are really difficult to
see as well.
If you implement an open-source flow telemetry collection system & export flow
telemetry from your edge routers to it, this becomes trivial.
See th
On Jan 28, 2020, at 04:12, Octolus Development wrote:
It is impossible to find the true origin of where the spoofed attacks are
coming from.
This is demonstrably untrue.
If you provide the requisite information to operators, they can look through
their flow telemetry collection/analysis sys
It is impossible to find the true origin of where the spoofed attacks are
coming from.
I don't have an exact timestamp, because the attacks are really difficult to
see as well. As I said, you can block the IP from accessing internet
completely. Yet, some services will flag our IP as "port flood
One approach would be to trace the true origin of the spoofed packets, and
get it filtered by their upstream. To that end, can you share some details
of a recent tcp-amp attack? Eg, the victim IP and a timestamp?
Damian
On Mon, Jan 27, 2020 at 12:06 PM Octolus Development
wrote:
> Hey everyon
Hey everyone, decided to do a small update for those who are interested.
- Sony reached out to me, they whitelisted our IP's temporarily but then
removed them. We have not heard from them since (10th January)
- We tracked down the cause of the blacklist, it is happening because we are a
victim o
It's not about that this thread is about, nor why it is blacklisted. There is
an exploit (DDoS) that will ban even home connections from their networks.
On 10.01.2020 19:51:10, Mark Milhollan wrote:
On Fri, 10 Jan 2020, Octolus Development wrote:
>I run a VPN Business dedicated to protecting cli
On Fri, 10 Jan 2020, Octolus Development wrote:
I run a VPN Business dedicated to protecting clients from DDoS Attacks
that happens "all day long" on PlayStation Network. We need our VPN to
work on PSN, all our customers uses their service.
They are still investigating the problem, let's see
Exactly that.
I run a VPN Business dedicated to protecting clients from DDoS Attacks that
happens "all day long" on PlayStation Network. We need our VPN to work on PSN,
all our customers uses their service.
They are still investigating the problem, let's see what the results will be.
On 10.01.2
On Thu, Jan 9, 2020, at 00:05, Keith Medcalf wrote:
>
> On Wednesday, 8 January, 2020 14:35. Octolus Development
> wrote:
>
> Stop doing business with Criminal Organizations (SONY). Problem solved.
You (as a provider) may not do any business with them, but your customers may,
and will yel
On Wednesday, 8 January, 2020 14:35. Octolus Development
wrote:
>Sony are currently "looking into it" but they do not seem to care much. I
>am a customer of Sony, I own PlayStation consoles and I am not able to
>access their service. They tell me to change my IP instead of solving the
>actual
No, that is not why.
We deployed a brand new IP, and it was banned 24-48 hours after the DDoS Attack
was hit. The other IP that was never attacked, never got banned. We've tracked
down the issue and confirmed it is the DDoS Attack coming from Akamai and
Imperva's IP's that are banning us from
Peace,
Hey, your website says you're the developer of OctoVPN which is a VPN
solution.
*This* might be effectively the reason of blocking, not a DDoS. Gaming and
streaming services typically discourage VPN traffic because a) VPNs help to
circumvent regional restrictions, b) miscreants use VPNs t
You're getting hit with something reported as "TCP-AMP" (I'm assuming TCP
amplification; not sure what's classifying this for you) on your IP
address, and then shortly thereafter that IP address is blocked from
Imperva's services? Are the source IP addresses in those "TCP-AMP" attacks
Sony IP addr
The thing is.
I can buy a brand new IP.
It works fine on the websites.
The moment it's hit by a DDoS Attack (TCP-AMP) .. Only 24-48 hours later, it's
banned from all Inculpsa's aka Imperva's websites :) so something is horrible
done wrong on their end and they're not interested in helping.. nei
Hello,
On Wed, 8 Jan 2020 at 18:26, Octolus Development wrote:
>
> The error it displays on both Sony, and Imperva (and whatever websites who
> uses their protection). So this problem is not with Sony, but rather Imperva
> blocking IP's wildly.
>
> The IP's are not blocks, it's a single IP and
The error it displays on both Sony, and Imperva (and whatever websites who uses
their protection). So this problem is not with Sony, but rather Imperva
blocking IP's wildly.
The IP's are not blocks, it's a single IP and the block/blacklist lifts after 7
days.
Error that appears on those webs
Hello,
On Wed, 8 Jan 2020 at 16:53, Octolus Development wrote:
> But here's the funny part, when connecting to their own website imperva.com
> from those IP's -- we are getting the exactly same error code that Sony are
> returning.
And what error code / full error is that *exactly*?
I assumed
Tracked it down.
Sony are using "Imperva" which is former Incapsula.
The IP's that was attacked by this DDoS Attack, have been added to their
threatradar, their phone support (Imperva) literally hangs up the call when you
try to question if they can provide more information about why the IP's a
>
> Well, in almost any* case blacklisting reflection vectors by IP is an
> insanely bad practice.
> * — I can *think* of a use case when this could be an appropriate solution
> (I recall Netscout/Arbor once had such a use case), but in the overwhelming
> majority of incidents it is absolutely not,
Peace,
On Tue, Jan 7, 2020 at 9:10 PM Hugo Slabbert wrote:
> And you're sure that you are the reflection target not the reflection vector?
NB: I have just checked the IP addresses the OP has provided me with
(offlist) against our database of known reflection sources, and I
confirm that none of t
No, that's only for "Account Takeover".. And those problems we've solved. That
was false reports, and we got whitelisted.
However with this issue? They decide to completely ignore the emails, it seems
like we're being either spoofed or people are attacking us with Sony's IP
space. What happens,
Peace,
On Tue, Jan 7, 2020, 9:10 PM Hugo Slabbert wrote:
> And you're sure that you are the reflection target not the reflection
> vector?
>
Well, in almost any* case blacklisting reflection vectors by IP is an
insanely bad practice.
* — I can *think* of a use case when this could be an approp
To be fair they do contact you. It's an automated process that's done
daily and it has a light amount of information.
The rest is totally accurate - the Playstation network stuff is an absolute
joke (think back to how they were down for MONTHS).
Josh Luthman
Office: 937-552-2340
Direct: 937-552-
Good luck! I’ve dealt with such PSN IP blocking issues for several years and
have found that Sony is the absolute worst possible gaming/content provider
I’ve ever dealt with. One company I worked at had to threaten legal action as
PSN would block CGN IPv4 addresses on their network and then tell
And you're sure that you are the reflection target not the reflection
vector?
As in it's definitely the case that you are the *target* here (your IP
addresses are being spoofed, and the reflection attack is hitting you)
rather than that someone is abusing endpoints in your network, i.e.
reflecting
Peace,
On Mon, Jan 6, 2020, 9:27 PM Octolus Development wrote:
> We're facing some reflected DDoS attacks, where the source address is
> spoofed to appear to be our IPs, and as a result getting blacklisted.
> Sony's support has told us to "change IPs"
>
Wait, are they blacklisting spoofed IP(v4
Went through this last year. They simply didn't do anything productive.
You have to change IPs if you want a quick resolution. They should email
the POC for the IP (I think towards the end of the day) as to what happened
and I believe a time frame when it will get resolved.
Hopefully someone wit
51 matches
Mail list logo
