I keep getting Account Takeover Attempt abuses on my Tor exit, and I'm
not sure how to handle them:
It is most likely the attack traffic is directed at one of the following
endpoints:
account.sonyentertainmentnetwork.com
auth.np.ac.playstation.net
auth.api.sonyentertainmentnetwork.com
auth.api.np.ac.playstation.net
These endpoints on our network are resolved by Geo DNS, so the IP addresses
they resolve to will depend on the originating IP address.
The destination port will be TCP 443.
I used 'dig' and 'ping' to see what IP address the 4 endpoints resolved
as, and blocked the resulting addresses, but I'm still getting the
abuse. The Whois records show Sony and PSN owning 63.x.x.x, 64.x.x.x,
68.x.x.x, and 108.x.x.x addresses, but the websites above resolve to
23.x.x.x, so either the lists are incomplete or I'm doing something wrong.
Any ideas?
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
