Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Jean | ddostest.me via NANOG]

I'm a bit confused as I thought it was the other way around.

No big deal though. So these SYN don't have options which is not normal 
today. It was in the previous millenium. You should see more options.


What you can do is filter SYN based on packet length. 54 bytes is your 
signature here. The hacker is using hping3 or some basic rudimentary tools.


Cheers

Jean

On 2020-01-28 16:41, Octolus Development wrote:

Yes, my server would then respond with RST.

Screenshot: https://i.imgur.com/ZVti2yY.png

We've blocked outgoing RST, 136.244.67.19 was our test server.

But even if the ip is not even exposed to the internet, services will 
blacklist us. Even if we don't respond, and block every request from 
the internet incoming & outgoing.


On 28.01.2020 22:36:18, "Jean | ddostest.me via NANOG" 
 wrote:


But you do receive the SYN/ACK?

The way to open a TCP socket is the 3 way handshake. Sorry to write 
that here... I feel it's useless.


1. SYN

2. SYN/ACK

3. ACK

Step 1: So hackers spoof the original SYN with your source IP of your 
network.


Step 2: You should then receive those SYN/ACK packets with your 
network as the dst ip and SONY as the src ip. Can you catch a few and 
post the TCP flags that you see please? (This is step 2)


You don't need sony or imperva for that. Just a sniffer at the right 
place in your network. You won't block anything, but we should see 
something  very interesting that will help you fix this.


If it is happening like you  are describing, you should see those 
packets and you should be able to capture them.


No worries if you can't.

Jean

On 2020-01-28 11:31, Octolus Development wrote:

I have tried numerous of times to reach out to Imperva.

Imperva said Sony have to contact them & said they cannot help me 
because I am not a customer of theirs.
Something Sony will not do. Sony simply stopped responding my emails 
after some time.


But yes you are right.

My IP's are being spoofed, spoofing SYN requests to hundreds of 
thousands of web servers. Which then results in a blacklist, that 
Imperva uses.. which prevents me and my clients from accessing 
Sony's services.. because they use Imperva.


On 28.01.2020 17:29:12, Tom Beecher  wrote:

Trying to summarize here, this convo has been a bit disjointed.

Is this an accurate summary?

- The malicious traffic with spoofed sources is targeting multiple 
different destinations.
- The aggregate of all those flows is causing Impervia to flag your 
IP range as a bad actor.
- Sony uses Impervia blacklists, and since Impervia has flagged 
your space as bad, Sony is blocking you.


If that is true, my advice would be to go right to Impervia. 
Explain the situation, and ask for their assistance in identifying 
and or/reaching out to the networks that they are detecting this 
spoofed traffic coming from. The backscatter, as Jared said 
earlier, could probably help you a bit too, but Impervia should be 
willing to assist. It's in their best interests to not have false 
positives, but who knows.


On Tue, Jan 28, 2020 at 6:17 AM Octolus Development 
mailto:ad...@octolus.net>> wrote:


The problem is that they are spoofing our IP, to millions of
IP's running port 80.
Making upstream providers filter it is quite difficult, i don't
know all the upstream providers are used.

The main problem is honestly services that reports SYN_RECV as
Port Flood, but there isn't much one can do about misconfigured
firewalls.I am sure there is a decent amount of honeypots on
the internet acting the same way, resulting us (the victims of
the attack) getting blacklisted for 'sending' attacks.


On 28.01.2020 05:50:14, "Dobbins, Roland"
mailto:roland.dobb...@netscout.com>> wrote:




On Jan 28, 2020, at 11:40, Dobbins, Roland
mailto:roland.dobb...@netscout.com>> wrote:

And even if his network weren't on the receiving end of a
reflection/amplification attack, OP could still see
backscatter, as Jared indicated.


In point of fact, if the traffic was low-volume, this might in
fact be what he was seeing.



Roland Dobbins mailto:roland.dobb...@netscout.com>>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[xanonyws]

Not blocking them will drain my outgoing bandwidth.




 On Wed, 29 Jan 2020 01:18:32 +0100 dam...@google.com wrote 


I recommend you *not* block the outgoing RST packets, as blocking them will 
only make matters worse:
  - it leaves the webservers being abused for reflection in the half-open 
SYN_RECV state, which may attract more attention (and blacklisting)
  - retries from those servers will increase the load to your network


Damian


On Tue, Jan 28, 2020 at 1:42 PM Octolus Development  wrote:

Yes, my server would then respond with RST.


Screenshot: https://i.imgur.com/ZVti2yY.png


We've blocked outgoing RST, 136.244.67.19 was our test server.


But even if the ip is not even exposed to the internet, services will blacklist 
us. Even if we don't respond, and block every request from the internet 
incoming & outgoing.

On 28.01.2020 22:36:18, "Jean | ddostest.me via NANOG"  wrote:

But you do receive the SYN/ACK?

The way to open a TCP socket is the 3 way handshake. Sorry to write that 
here... I feel it's useless.

1. SYN

2. SYN/ACK

3. ACK


Step 1: So hackers spoof the original SYN with your source IP of your network.


Step 2: You should then receive those SYN/ACK packets with your network as the 
dst ip and SONY as the src ip. Can you catch a few and post the TCP flags that 
you see please? (This is step 2)

You don't need sony or imperva for that. Just a sniffer at the right place in 
your network. You won't block anything, but we should see something  very 
interesting that will help you fix this.


If it is happening like you  are describing, you should see those packets and 
you should be able to capture them.


No worries if you can't.


Jean


On 2020-01-28 11:31, Octolus Development wrote:

I have tried numerous of times to reach out to Imperva.


Imperva said Sony have to contact them & said they cannot help me because I am 
not a customer of theirs.
Something Sony will not do. Sony simply stopped responding my emails after some 
time.


But yes you are right.


My IP's are being spoofed, spoofing SYN requests to hundreds of thousands of 
web servers. Which then results in a blacklist, that Imperva uses.. which 
prevents me and my clients from accessing Sony's services.. because they use 
Imperva.

On 28.01.2020 17:29:12, Tom Beecher  wrote:

Trying to summarize here, this convo has been a bit disjointed. 


Is this an accurate summary?


- The malicious traffic with spoofed sources is targeting multiple different 
destinations.
- The aggregate of all those flows is causing Impervia to flag your IP range as 
a bad actor. 
- Sony uses Impervia blacklists, and since Impervia has flagged your space as 
bad, Sony is blocking you. 


If that is true, my advice would be to go right to Impervia. Explain the 
situation, and ask for their assistance in identifying and or/reaching out to 
the networks that they are detecting this spoofed traffic coming from. The 
backscatter, as Jared said earlier, could probably help you a bit too, but 
Impervia should be willing to assist. It's in their best interests to not have 
false positives, but who knows. 


On Tue, Jan 28, 2020 at 6:17 AM Octolus Development  wrote:

The problem is that they are spoofing our IP, to millions of IP's running port 
80.
Making upstream providers filter it is quite difficult, i don't know all the 
upstream providers are used. 


The main problem is honestly services that reports SYN_RECV as Port Flood, but 
there isn't much one can do about misconfigured firewalls.I am sure there is a 
decent amount of honeypots on the internet acting the same way, resulting us 
(the victims of the attack) getting blacklisted for 'sending' attacks.

On 28.01.2020 05:50:14, "Dobbins, Roland"  wrote:





On Jan 28, 2020, at 11:40, Dobbins, Roland  wrote:


And even if his network weren't on the receiving end of a 
reflection/amplification attack, OP could still see backscatter, as Jared 
indicated. 


In point of fact, if the traffic was low-volume, this might in fact be what he 
was seeing. 





Roland Dobbins 

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Damian Menscher via NANOG]

I recommend you *not* block the outgoing RST packets, as blocking them will
only make matters worse:
  - it leaves the webservers being abused for reflection in the half-open
SYN_RECV state, which may attract more attention (and blacklisting)
  - retries from those servers will increase the load to your network

Damian

On Tue, Jan 28, 2020 at 1:42 PM Octolus Development 
wrote:

> Yes, my server would then respond with RST.
>
> Screenshot: https://i.imgur.com/ZVti2yY.png
>
> We've blocked outgoing RST, 136.244.67.19 was our test server.
>
> But even if the ip is not even exposed to the internet, services will
> blacklist us. Even if we don't respond, and block every request from the
> internet incoming & outgoing.
>
> On 28.01.2020 22:36:18, "Jean | ddostest.me via NANOG" 
> wrote:
>
> But you do receive the SYN/ACK?
>
> The way to open a TCP socket is the 3 way handshake. Sorry to write that
> here... I feel it's useless.
>
> 1. SYN
>
> 2. SYN/ACK
>
> 3. ACK
>
> Step 1: So hackers spoof the original SYN with your source IP of your
> network.
>
> Step 2: You should then receive those SYN/ACK packets with your network as
> the dst ip and SONY as the src ip. Can you catch a few and post the TCP
> flags that you see please? (This is step 2)
>
> You don't need sony or imperva for that. Just a sniffer at the right place
> in your network. You won't block anything, but we should see something
> very interesting that will help you fix this.
>
> If it is happening like you  are describing, you should see those packets
> and you should be able to capture them.
>
> No worries if you can't.
>
> Jean
> On 2020-01-28 11:31, Octolus Development wrote:
>
> I have tried numerous of times to reach out to Imperva.
>
> Imperva said Sony have to contact them & said they cannot help me because
> I am not a customer of theirs.
> Something Sony will not do. Sony simply stopped responding my emails after
> some time.
>
> But yes you are right.
>
> My IP's are being spoofed, spoofing SYN requests to hundreds of thousands
> of web servers. Which then results in a blacklist, that Imperva uses..
> which prevents me and my clients from accessing Sony's services.. because
> they use Imperva.
>
> On 28.01.2020 17:29:12, Tom Beecher 
>  wrote:
> Trying to summarize here, this convo has been a bit disjointed.
>
> Is this an accurate summary?
>
> - The malicious traffic with spoofed sources is targeting multiple
> different destinations.
> - The aggregate of all those flows is causing Impervia to flag your IP
> range as a bad actor.
> - Sony uses Impervia blacklists, and since Impervia has flagged your space
> as bad, Sony is blocking you.
>
> If that is true, my advice would be to go right to Impervia. Explain the
> situation, and ask for their assistance in identifying and or/reaching out
> to the networks that they are detecting this spoofed traffic coming from.
> The backscatter, as Jared said earlier, could probably help you a bit too,
> but Impervia should be willing to assist. It's in their best interests to
> not have false positives, but who knows.
>
> On Tue, Jan 28, 2020 at 6:17 AM Octolus Development 
> wrote:
>
>> The problem is that they are spoofing our IP, to millions of IP's running
>> port 80.
>> Making upstream providers filter it is quite difficult, i don't know all
>> the upstream providers are used.
>>
>> The main problem is honestly services that reports SYN_RECV as Port
>> Flood, but there isn't much one can do about misconfigured firewalls.I am
>> sure there is a decent amount of honeypots on the internet acting the same
>> way, resulting us (the victims of the attack) getting blacklisted for
>> 'sending' attacks.
>>
>> On 28.01.2020 05:50:14, "Dobbins, Roland" 
>> wrote:
>>
>>
>> On Jan 28, 2020, at 11:40, Dobbins, Roland 
>> wrote:
>>
>> And even if his network weren't on the receiving end of a
>> reflection/amplification attack, OP could still see backscatter, as Jared
>> indicated.
>>
>>
>> In point of fact, if the traffic was low-volume, this might in fact be
>> what he was seeing.
>>
>> 
>>
>> Roland Dobbins 
>>
>>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

Yes, my server would then respond with RST.

Screenshot: https://i.imgur.com/ZVti2yY.png

We've blocked outgoing RST, 136.244.67.19 was our test server.

But even if the ip is not even exposed to the internet, services will blacklist 
us. Even if we don't respond, and block every request from the internet 
incoming & outgoing.
On 28.01.2020 22:36:18, "Jean | ddostest.me via NANOG"  wrote:
But you do receive the SYN/ACK?
The way to open a TCP socket is the 3 way handshake. Sorry to write that 
here... I feel it's useless.
1. SYN
2. SYN/ACK
3. ACK

Step 1: So hackers spoof the original SYN with your source IP of your network.

Step 2: You should then receive those SYN/ACK packets with your network as the 
dst ip and SONY as the src ip. Can you catch a few and post the TCP flags that 
you see please? (This is step 2)
You don't need sony or imperva for that. Just a sniffer at the right place in 
your network. You won't block anything, but we should see something very 
interesting that will help you fix this.

If it is happening like you are describing, you should see those packets and 
you should be able to capture them.

No worries if you can't.

Jean

On 2020-01-28 11:31, Octolus Development wrote:

I have tried numerous of times to reach out to Imperva.

Imperva said Sony have to contact them & said they cannot help me because I am 
not a customer of theirs.
Something Sony will not do. Sony simply stopped responding my emails after some 
time.

But yes you are right.

My IP's are being spoofed, spoofing SYN requests to hundreds of thousands of 
web servers. Which then results in a blacklist, that Imperva uses.. which 
prevents me and my clients from accessing Sony's services.. because they use 
Imperva.
On 28.01.2020 17:29:12, Tom Beecher  
[mailto:beec...@beecher.cc] wrote:
Trying to summarize here, this convo has been a bit disjointed.

Is this an accurate summary?

- The malicious traffic with spoofed sources is targeting multiple different 
destinations.
- The aggregate of all those flows is causing Impervia to flag your IP range as 
a bad actor.
- Sony uses Impervia blacklists, and since Impervia has flagged your space as 
bad, Sony is blocking you.

If that is true, my advice would be to go right to Impervia. Explain the 
situation, and ask for their assistance in identifying and or/reaching out to 
the networks that they are detecting this spoofed traffic coming from. The 
backscatter, as Jared said earlier, could probably help you a bit too, but 
Impervia should be willing to assist. It's in their best interests to not have 
false positives, but who knows.

On Tue, Jan 28, 2020 at 6:17 AM Octolus Development mailto:ad...@octolus.net]> wrote:

The problem is that they are spoofing our IP, to millions of IP's running port 
80.
Making upstream providers filter it is quite difficult, i don't know all the 
upstream providers are used.

The main problem is honestly services that reports SYN_RECV as Port Flood, but 
there isn't much one can do about misconfigured firewalls.I am sure there is a 
decent amount of honeypots on the internet acting the same way, resulting us 
(the victims of the attack) getting blacklisted for 'sending' attacks.
On 28.01.2020 05:50:14, "Dobbins, Roland" mailto:roland.dobb...@netscout.com]> wrote:


On Jan 28, 2020, at 11:40, Dobbins, Roland mailto:roland.dobb...@netscout.com]> wrote:


And even if his network weren't on the receiving end of a 
reflection/amplification attack, OP could still see backscatter, as Jared 
indicated.

In point of fact, if the traffic was low-volume, this might in fact be what he 
was seeing.


Roland Dobbins mailto:roland.dobb...@netscout.com]>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Jean | ddostest.me via NANOG]

But you do receive the SYN/ACK?

The way to open a TCP socket is the 3 way handshake. Sorry to write that 
here... I feel it's useless.


1. SYN

2. SYN/ACK

3. ACK

Step 1: So hackers spoof the original SYN with your source IP of your 
network.


Step 2: You should then receive those SYN/ACK packets with your network 
as the dst ip and SONY as the src ip. Can you catch a few and post the 
TCP flags that you see please? (This is step 2)


You don't need sony or imperva for that. Just a sniffer at the right 
place in your network. You won't block anything, but we should see 
something  very interesting that will help you fix this.


If it is happening like you  are describing, you should see those 
packets and you should be able to capture them.


No worries if you can't.

Jean

On 2020-01-28 11:31, Octolus Development wrote:

I have tried numerous of times to reach out to Imperva.

Imperva said Sony have to contact them & said they cannot help me 
because I am not a customer of theirs.
Something Sony will not do. Sony simply stopped responding my emails 
after some time.


But yes you are right.

My IP's are being spoofed, spoofing SYN requests to hundreds of 
thousands of web servers. Which then results in a blacklist, that 
Imperva uses.. which prevents me and my clients from accessing Sony's 
services.. because they use Imperva.


On 28.01.2020 17:29:12, Tom Beecher  wrote:

Trying to summarize here, this convo has been a bit disjointed.

Is this an accurate summary?

- The malicious traffic with spoofed sources is targeting multiple 
different destinations.
- The aggregate of all those flows is causing Impervia to flag your 
IP range as a bad actor.
- Sony uses Impervia blacklists, and since Impervia has flagged your 
space as bad, Sony is blocking you.


If that is true, my advice would be to go right to Impervia. Explain 
the situation, and ask for their assistance in identifying and 
or/reaching out to the networks that they are detecting this spoofed 
traffic coming from. The backscatter, as Jared said earlier, could 
probably help you a bit too, but Impervia should be willing to 
assist. It's in their best interests to not have false positives, but 
who knows.


On Tue, Jan 28, 2020 at 6:17 AM Octolus Development 
mailto:ad...@octolus.net>> wrote:


The problem is that they are spoofing our IP, to millions of IP's
running port 80.
Making upstream providers filter it is quite difficult, i don't
know all the upstream providers are used.

The main problem is honestly services that reports SYN_RECV as
Port Flood, but there isn't much one can do about misconfigured
firewalls.I am sure there is a decent amount of honeypots on the
internet acting the same way, resulting us (the victims of the
attack) getting blacklisted for 'sending' attacks.


On 28.01.2020 05:50:14, "Dobbins, Roland"
mailto:roland.dobb...@netscout.com>> wrote:




On Jan 28, 2020, at 11:40, Dobbins, Roland
mailto:roland.dobb...@netscout.com>> wrote:

And even if his network weren't on the receiving end of a
reflection/amplification attack, OP could still see
backscatter, as Jared indicated.


In point of fact, if the traffic was low-volume, this might in
fact be what he was seeing.



Roland Dobbins mailto:roland.dobb...@netscout.com>>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

I have tried numerous of times to reach out to Imperva.

Imperva said Sony have to contact them & said they cannot help me because I am 
not a customer of theirs.
Something Sony will not do. Sony simply stopped responding my emails after some 
time.

But yes you are right.

My IP's are being spoofed, spoofing SYN requests to hundreds of thousands of 
web servers. Which then results in a blacklist, that Imperva uses.. which 
prevents me and my clients from accessing Sony's services.. because they use 
Imperva.
On 28.01.2020 17:29:12, Tom Beecher  wrote:
Trying to summarize here, this convo has been a bit disjointed.

Is this an accurate summary?

- The malicious traffic with spoofed sources is targeting multiple different 
destinations.
- The aggregate of all those flows is causing Impervia to flag your IP range as 
a bad actor.
- Sony uses Impervia blacklists, and since Impervia has flagged your space as 
bad, Sony is blocking you.

If that is true, my advice would be to go right to Impervia. Explain the 
situation, and ask for their assistance in identifying and or/reaching out to 
the networks that they are detecting this spoofed traffic coming from. The 
backscatter, as Jared said earlier, could probably help you a bit too, but 
Impervia should be willing to assist. It's in their best interests to not have 
false positives, but who knows.

On Tue, Jan 28, 2020 at 6:17 AM Octolus Development mailto:ad...@octolus.net]> wrote:

The problem is that they are spoofing our IP, to millions of IP's running port 
80.
Making upstream providers filter it is quite difficult, i don't know all the 
upstream providers are used.

The main problem is honestly services that reports SYN_RECV as Port Flood, but 
there isn't much one can do about misconfigured firewalls.I am sure there is a 
decent amount of honeypots on the internet acting the same way, resulting us 
(the victims of the attack) getting blacklisted for 'sending' attacks.
On 28.01.2020 05:50:14, "Dobbins, Roland" mailto:roland.dobb...@netscout.com]> wrote:


On Jan 28, 2020, at 11:40, Dobbins, Roland mailto:roland.dobb...@netscout.com]> wrote:


And even if his network weren't on the receiving end of a 
reflection/amplification attack, OP could still see backscatter, as Jared 
indicated.

In point of fact, if the traffic was low-volume, this might in fact be what he 
was seeing.


Roland Dobbins mailto:roland.dobb...@netscout.com]>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Tom Beecher]

Trying to summarize here, this convo has been a bit disjointed.

Is this an accurate summary?

- The malicious traffic with spoofed sources is targeting multiple
different destinations.
- The aggregate of all those flows is causing Impervia to flag your IP
range as a bad actor.
- Sony uses Impervia blacklists, and since Impervia has flagged your space
as bad, Sony is blocking you.

If that is true, my advice would be to go right to Impervia. Explain the
situation, and ask for their assistance in identifying and or/reaching out
to the networks that they are detecting this spoofed traffic coming from.
The backscatter, as Jared said earlier, could probably help you a bit too,
but Impervia should be willing to assist. It's in their best interests to
not have false positives, but who knows.

On Tue, Jan 28, 2020 at 6:17 AM Octolus Development 
wrote:

> The problem is that they are spoofing our IP, to millions of IP's running
> port 80.
> Making upstream providers filter it is quite difficult, i don't know all
> the upstream providers are used.
>
> The main problem is honestly services that reports SYN_RECV as Port Flood,
> but there isn't much one can do about misconfigured firewalls.I am sure
> there is a decent amount of honeypots on the internet acting the same way,
> resulting us (the victims of the attack) getting blacklisted for 'sending'
> attacks.
>
> On 28.01.2020 05:50:14, "Dobbins, Roland" 
> wrote:
>
>
> On Jan 28, 2020, at 11:40, Dobbins, Roland 
> wrote:
>
> And even if his network weren't on the receiving end of a
> reflection/amplification attack, OP could still see backscatter, as Jared
> indicated.
>
>
> In point of fact, if the traffic was low-volume, this might in fact be
> what he was seeing.
>
> 
>
> Roland Dobbins 
>
>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Jean | ddostest.me via NANOG]

Maybe we're looking at the wrong place when dealing with TCP amp. I 
believe there is a much easier way to solve this.


@OP: can you post the tcp flags of the SYN/CK you are receiving from Sony?

Thanks

Jean

On 2020-01-27 20:49, Damian Menscher via NANOG wrote:
On Mon, Jan 27, 2020 at 5:43 PM Töma Gavrichenkov > wrote:


On Tue, Jan 28, 2020, 4:32 AM Damian Menscher mailto:dam...@google.com>> wrote:

On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov
mailto:xima...@gmail.com>> wrote:

If this endpoint doesn't connect to anything outside of
their network, then yes.
If it does though, the design of the filter might become
more complicated.


Not really... just requires sorting by volume.  Turns out most
legitimate hosts don't send high-volume syn packets. ;)


This is a good *detection* technique, but you cannot filter by
volume in transit if the set of destinations is large (and random)
enough, and you don't have a time machine.  Not sure if this is
the case but might as well be.


They don't need to filter by destination.  Once a problem customer has 
been identified, they can apply an ACL restricting them to only 
originate IPs they own.  This was all covered in my talk at NANOG last 
year: 
https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976


As for the detection of the real source, everything is technically
possible but you need certain bargaining power which a
medium-sized (at best) VPN service probably doesn't have.


True, but there are ways around that, including public shaming (here), 
or involving law enforcement.


Damian

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Dobbins, Roland]

On 28 Jan 2020, at 18:15, Octolus Development wrote:

> The problem is that they are spoofing our IP, to millions of IP's 
> running port 80.

So that does in fact sound like a TCP reflection/amplification attack.

If you have the relevant information, as it seems that you do, you can 
ask operators to perform traceback (they'll likely need timestamps).

Hopefully, some operators will read this thread and begin looking into 
it, as well.


Roland Dobbins 

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

The problem is that they are spoofing our IP, to millions of IP's running port 
80.
Making upstream providers filter it is quite difficult, i don't know all the 
upstream providers are used. 

The main problem is honestly services that reports SYN_RECV as Port Flood, but 
there isn't much one can do about misconfigured firewalls.I am sure there is a 
decent amount of honeypots on the internet acting the same way, resulting us 
(the victims of the attack) getting blacklisted for 'sending' attacks.
On 28.01.2020 05:50:14, "Dobbins, Roland"  wrote:


On Jan 28, 2020, at 11:40, Dobbins, Roland  wrote:


And even if his network weren't on the receiving end of a 
reflection/amplification attack, OP could still see backscatter, as Jared 
indicated. 

In point of fact, if the traffic was low-volume, this might in fact be what he 
was seeing. 


Roland Dobbins 

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Dobbins, Roland]

On Jan 28, 2020, at 11:40, Dobbins, Roland  wrote:

And even if his network weren't on the receiving end of a 
reflection/amplification attack, OP could still see backscatter, as Jared 
indicated.

In point of fact, if the traffic was low-volume, this might in fact be what he 
was seeing.




Roland Dobbins 

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Dobbins, Roland]

On Jan 28, 2020, at 07:39, Mike Hammett  wrote:

If someone is being spoofed, they aren't receiving the spoofed packets. How are 
they supposed to collect anything on the attack?

OP stated that *his own network* was being packeted with a TCP 
reflection/amplification attack.

This means that if he's collecting flow telemetry from his edge routers, he 
sees the details of the resultant attack traffic, & since that attack traffic 
isn't spoofed from his perspective, he can ask the networks on which the abused 
reflectors/amplifiers reside, & their peers/transits he can infer, to perform 
traceback, & work it network-by-network.

And even if his network weren't on the receiving end of a 
reflection/amplification attack, OP could still see backscatter, as Jared 
indicated.

Instrumenting one's network in order to achieve visibility into one's traffic 
is quite beneficial.  It's easy & inexpensive to get started with open-source 
tools.




Roland Dobbins 

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Töma Gavrichenkov]

Peace,

On Tue, Jan 28, 2020, 4:49 AM Damian Menscher  wrote:

> They don't need to filter by destination.  Once a problem customer has
> been identified, they can apply an ACL restricting them to only originate
> IPs they own.
>

> [..]
>
there are ways around that, including public shaming (here), or involving
> law enforcement.
>

Well, don't we see how well public shaming has worked out with Sony so far.

--
Töma

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Damian Menscher via NANOG]

On Mon, Jan 27, 2020 at 5:43 PM Töma Gavrichenkov  wrote:

> On Tue, Jan 28, 2020, 4:32 AM Damian Menscher  wrote:
>
>> On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov 
>> wrote:
>>
>>> If this endpoint doesn't connect to anything outside of their network,
>>> then yes.
>>> If it does though, the design of the filter might become more
>>> complicated.
>>>
>>
>> Not really... just requires sorting by volume.  Turns out most legitimate
>> hosts don't send high-volume syn packets. ;)
>>
>
> This is a good *detection* technique, but you cannot filter by volume in
> transit if the set of destinations is large (and random) enough, and you
> don't have a time machine.  Not sure if this is the case but might as well
> be.
>

They don't need to filter by destination.  Once a problem customer has been
identified, they can apply an ACL restricting them to only originate IPs
they own.  This was all covered in my talk at NANOG last year:
https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976

As for the detection of the real source, everything is technically possible
> but you need certain bargaining power which a medium-sized (at best) VPN
> service probably doesn't have.
>

True, but there are ways around that, including public shaming (here), or
involving law enforcement.

Damian

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Töma Gavrichenkov]

Peace,

On Tue, Jan 28, 2020, 4:42 AM Töma Gavrichenkov  wrote:

> As for the detection of the real source, everything is technically
> possible but you need certain bargaining power which a medium-sized (at
> best) VPN service probably doesn't have.
>

...because if they *did* have some, they could've rather convinced Sony (or
the respective security providers) not to apply braindead filtering
techniques (assuming they do, as the OP states).

--
Töma

>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Jared Mauch]

You will still see backscatter which will let you know your space is being 
spoofed as well. 

This will show in your telemetry. 

Sent from my iCar

> On Jan 27, 2020, at 7:57 PM, Mike Hammett  wrote:
> 
> 
> How would they know what to look for?
> 
> I'm assuming Sony isn't cooperating.
> 
> 
> 
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
> 
> Midwest-IX
> http://www.midwest-ix.com
> 
> From: "Ben Cannon" 
> To: "Mike Hammett" 
> Cc: "Roland Dobbins" , "NANOG Operators' Group" 
> 
> Sent: Monday, January 27, 2020 6:40:25 PM
> Subject: Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
> 
> Transit carriers could work the flows backwards.
> 
> -Ben Cannon
> CEO 6x7 Networks & 6x7 Telecom, LLC 
> b...@6by7.net
> 
> 
> 
> 
> On Jan 27, 2020, at 4:39 PM, Mike Hammett  wrote:
> 
> If someone is being spoofed, they aren't receiving the spoofed packets. How 
> are they supposed to collect anything on the attack?
> 
> Offending host pretending to be Octolus -> Sony -> Real Octolus.
> 
> 
> 
> 
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
> 
> Midwest-IX
> http://www.midwest-ix.com
> 
> From: "Roland Dobbins" 
> To: "Octolus Development" 
> Cc: "Heather Schiller via NANOG" 
> Sent: Monday, January 27, 2020 6:29:16 PM
> Subject: Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
> 
> 
> 
> On Jan 28, 2020, at 04:12, Octolus Development  wrote:
> 
> It is impossible to find the true origin of where the spoofed attacks are 
> coming from.
> 
> This is demonstrably untrue. 
> 
> If you provide the requisite information to operators, they can look through 
> their flow telemetry collection/analysis systems in order to determine 
> whether the spoofed traffic traversed their network; if it did so, they will 
> see where it ingressed their network. 
> 
> With enough participants who have this capability, it's possible to trace the 
> spoofed traffic back to its origin network, or at least some network or 
> networks topologically proximate to the origin network. 
> 
> That's what Damian is suggesting. 
> 
> 
> Roland Dobbins 
> 
> 

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Töma Gavrichenkov]

Peace,

On Tue, Jan 28, 2020, 4:32 AM Damian Menscher  wrote:

> On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov 
> wrote:
>
>> If this endpoint doesn't connect to anything outside of their network,
>> then yes.
>> If it does though, the design of the filter might become more complicated.
>>
>
> Not really... just requires sorting by volume.  Turns out most legitimate
> hosts don't send high-volume syn packets. ;)
>

This is a good *detection* technique, but you cannot filter by volume in
transit if the set of destinations is large (and random) enough, and you
don't have a time machine.  Not sure if this is the case but might as well
be.

As for the detection of the real source, everything is technically possible
but you need certain bargaining power which a medium-sized (at best) VPN
service probably doesn't have.

--
Töma

>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Damian Menscher via NANOG]

On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov  wrote:

> On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG 
> wrote:
>
>> The victim already posted the signature to this thread:
>>   - source IP: 51.81.119.7
>>   - protocol: 6 (tcp)
>>   - tcp_flags: 2 (syn)
>>
>> That alone is sufficient for Level3/CenturyLink/etc to identify the
>> source of this abuse and apply filters, if they choose.
>>
>
> If this endpoint doesn't connect to anything outside of their network,
> then yes.
> If it does though, the design of the filter might become more complicated.
>

Not really... just requires sorting by volume.  Turns out most legitimate
hosts don't send high-volume syn packets. ;)  The same could be said of
high-volume UDP packets destined to known amplification ports.

If the OP posted their IPv4 addresses and networks to the list, it could've
> been easier though (however the concerns about the administrative
> processing procedures outlined before still apply).
>

The victim info is only really needed if you are focused on a particular
case.  A motivated person at a transit provider could likely identify all
sources of spoofing (from their customers) with a day's work.  Multiple
transit providers would need to work together to address all cases, as the
source might be a customer of only one of them.

If anyone at a transit provider wants to attempt this feel free to contact
me off-list for tips.

Damian

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Töma Gavrichenkov]

Peace,

On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG 
wrote:

> The victim already posted the signature to this thread:
>   - source IP: 51.81.119.7
>   - protocol: 6 (tcp)
>   - tcp_flags: 2 (syn)
>
> That alone is sufficient for Level3/CenturyLink/etc to identify the source
> of this abuse and apply filters, if they choose.
>

If this endpoint doesn't connect to anything outside of their network, then
yes.

If it does though, the design of the filter might become more complicated.

If the OP posted their IPv4 addresses and networks to the list, it could've
been easier though (however the concerns about the administrative
processing procedures outlined before still apply).

--
Töma

>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Töma Gavrichenkov]

Peace,

On Tue, Jan 28, 2020, 3:43 AM Ben Cannon  wrote:

> Transit carriers could work the flows backwards.
>

And if the stars align, some of them might even do that for you once even
though you are not their direct customer.

Next you're going to convince them to talk to the (probably abuse
resistant) data center where this garbage is hosted in order to shut the
offender down.

This even happened before in the past, but not frequently enough I'd say.

--
Töma

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Damian Menscher via NANOG]

The victim already posted the signature to this thread:
  - source IP: 51.81.119.7
  - protocol: 6 (tcp)
  - tcp_flags: 2 (syn)

That alone is sufficient for Level3/CenturyLink/etc to identify the source
of this abuse and apply filters, if they choose.

For a more detailed explanation of how to trace and filter spoofed attacks,
see my talk at NANOG last year:
https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976

Damian

On Mon, Jan 27, 2020 at 4:57 PM Mike Hammett  wrote:

> How would they know what to look for?
>
> I'm assuming Sony isn't cooperating.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> --
> *From: *"Ben Cannon" 
> *To: *"Mike Hammett" 
> *Cc: *"Roland Dobbins" , "NANOG Operators'
> Group" 
> *Sent: *Monday, January 27, 2020 6:40:25 PM
> *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
>
> Transit carriers could work the flows backwards.
>
> -Ben Cannon
> CEO 6x7 Networks & 6x7 Telecom, LLC
> b...@6by7.net
>
>
>
> On Jan 27, 2020, at 4:39 PM, Mike Hammett  wrote:
>
> If someone is being spoofed, they aren't receiving the spoofed packets.
> How are they supposed to collect anything on the attack?
>
> Offending host pretending to be Octolus -> Sony -> Real Octolus.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> --------------
> *From: *"Roland Dobbins" 
> *To: *"Octolus Development" 
> *Cc: *"Heather Schiller via NANOG" 
> *Sent: *Monday, January 27, 2020 6:29:16 PM
> *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
>
>
>
> On Jan 28, 2020, at 04:12, Octolus Development  wrote:
>
> It is impossible to find the true origin of where the spoofed attacks are
> coming from.
>
>
> This is demonstrably untrue.
>
> If you provide the requisite information to operators, they can look
> through their flow telemetry collection/analysis systems in order to
> determine whether the spoofed traffic traversed their network; if it did
> so, they will see where it ingressed their network.
>
> With enough participants who have this capability, it's possible to trace
> the spoofed traffic back to its origin network, or at least some network or
> networks topologically proximate to the origin network.
>
> That's what Damian is suggesting.
>
> 
> Roland Dobbins 
>
>
>
>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Mike Hammett]

How would they know what to look for? 

I'm assuming Sony isn't cooperating. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Ben Cannon"  
To: "Mike Hammett"  
Cc: "Roland Dobbins" , "NANOG Operators' Group" 
 
Sent: Monday, January 27, 2020 6:40:25 PM 
Subject: Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC 

Transit carriers could work the flows backwards. 





-Ben Cannon 
CEO 6x7 Networks & 6x7 Telecom, LLC 
b...@6by7.net 







On Jan 27, 2020, at 4:39 PM, Mike Hammett < na...@ics-il.net > wrote: 


If someone is being spoofed, they aren't receiving the spoofed packets. How are 
they supposed to collect anything on the attack? 

Offending host pretending to be Octolus -> Sony -> Real Octolus. 





- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Roland Dobbins" < roland.dobb...@netscout.com > 
To: "Octolus Development" < ad...@octolus.net > 
Cc: "Heather Schiller via NANOG" < nanog@nanog.org > 
Sent: Monday, January 27, 2020 6:29:16 PM 
Subject: Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC 







On Jan 28, 2020, at 04:12, Octolus Development < ad...@octolus.net > wrote: 






It is impossible to find the true origin of where the spoofed attacks are 
coming from. 



This is demonstrably untrue. 


If you provide the requisite information to operators, they can look through 
their flow telemetry collection/analysis systems in order to determine whether 
the spoofed traffic traversed their network; if it did so, they will see where 
it ingressed their network. 


With enough participants who have this capability, it's possible to trace the 
spoofed traffic back to its origin network, or at least some network or 
networks topologically proximate to the origin network. 


That's what Damian is suggesting. 



 
Roland Dobbins < roland.dobb...@netscout.com > 

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Ben Cannon]

Transit carriers could work the flows backwards.

-Ben Cannon
CEO 6x7 Networks & 6x7 Telecom, LLC 
b...@6by7.net <mailto:b...@6by7.net>




> On Jan 27, 2020, at 4:39 PM, Mike Hammett  wrote:
> 
> If someone is being spoofed, they aren't receiving the spoofed packets. How 
> are they supposed to collect anything on the attack?
> 
> Offending host pretending to be Octolus -> Sony -> Real Octolus.
> 
> 
> 
> 
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com <http://www.ics-il.com/>
> 
> Midwest-IX
> http://www.midwest-ix.com <http://www.midwest-ix.com/>
> 
> From: "Roland Dobbins"  <mailto:roland.dobb...@netscout.com>>
> To: "Octolus Development" mailto:ad...@octolus.net>>
> Cc: "Heather Schiller via NANOG" mailto:nanog@nanog.org>>
> Sent: Monday, January 27, 2020 6:29:16 PM
> Subject: Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
> 
> 
> 
> On Jan 28, 2020, at 04:12, Octolus Development  <mailto:ad...@octolus.net>> wrote:
> 
> It is impossible to find the true origin of where the spoofed attacks are 
> coming from.
> 
> This is demonstrably untrue. 
> 
> If you provide the requisite information to operators, they can look through 
> their flow telemetry collection/analysis systems in order to determine 
> whether the spoofed traffic traversed their network; if it did so, they will 
> see where it ingressed their network. 
> 
> With enough participants who have this capability, it's possible to trace the 
> spoofed traffic back to its origin network, or at least some network or 
> networks topologically proximate to the origin network. 
> 
> That's what Damian is suggesting. 
> 
> 
> Roland Dobbins  <mailto:roland.dobb...@netscout.com>>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Mike Hammett]

If someone is being spoofed, they aren't receiving the spoofed packets. How are 
they supposed to collect anything on the attack? 

Offending host pretending to be Octolus -> Sony -> Real Octolus. 





- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Roland Dobbins"  
To: "Octolus Development"  
Cc: "Heather Schiller via NANOG"  
Sent: Monday, January 27, 2020 6:29:16 PM 
Subject: Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC 







On Jan 28, 2020, at 04:12, Octolus Development  wrote: 






It is impossible to find the true origin of where the spoofed attacks are 
coming from. 



This is demonstrably untrue. 


If you provide the requisite information to operators, they can look through 
their flow telemetry collection/analysis systems in order to determine whether 
the spoofed traffic traversed their network; if it did so, they will see where 
it ingressed their network. 


With enough participants who have this capability, it's possible to trace the 
spoofed traffic back to its origin network, or at least some network or 
networks topologically proximate to the origin network. 


That's what Damian is suggesting. 



 
Roland Dobbins  

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Dobbins, Roland]

On Jan 28, 2020, at 04:12, Octolus Development  wrote:

I don't have an exact timestamp, because the attacks are really difficult to 
see as well.

If you implement an open-source flow telemetry collection system & export flow 
telemetry from your edge routers to it, this becomes trivial.

See this .pdf preso (it's my standard telemetry preso):



[Full disclosure: I work for a commercial vendor of such systems.]




Roland Dobbins 

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Dobbins, Roland]

On Jan 28, 2020, at 04:12, Octolus Development  wrote:

It is impossible to find the true origin of where the spoofed attacks are 
coming from.

This is demonstrably untrue.

If you provide the requisite information to operators, they can look through 
their flow telemetry collection/analysis systems in order to determine whether 
the spoofed traffic traversed their network; if it did so, they will see where 
it ingressed their network.

With enough participants who have this capability, it's possible to trace the 
spoofed traffic back to its origin network, or at least some network or 
networks topologically proximate to the origin network.

That's what Damian is suggesting.




Roland Dobbins 

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

It is impossible to find the true origin of where the spoofed attacks are 
coming from.

I don't have an exact timestamp, because the attacks are really difficult to 
see as well. As I said, you can block the IP from accessing internet 
completely. Yet, some services will flag our IP as "port flooding" their 
service - despite the fact it's fully spoofed.

We received multiple flags at OVH of port flooding.

This was one of the reports we got:
tcp: 51.81.119.7:30364 -> 209.208.32.250:80 (SYN_RECV)
tcp: 51.81.119.7:41535 -> 209.208.32.250:80 (SYN_RECV)
tcp: 51.81.119.7:1089 -> 209.208.32.250:80 (SYN_RECV)
tcp: 51.81.119.7:4433 -> 209.208.32.250:80 (SYN_RECV)

On 27.01.2020 21:29:11, Damian Menscher  wrote:
One approach would be to trace the true origin of the spoofed packets, and get 
it filtered by their upstream. To that end, can you share some details of a 
recent tcp-amp attack? Eg, the victim IP and a timestamp?

Damian

On Mon, Jan 27, 2020 at 12:06 PM Octolus Development mailto:ad...@octolus.net]> wrote:

Hey everyone, decided to do a small update for those who are interested.

- Sony reached out to me, they whitelisted our IP's temporarily but then 
removed them. We have not heard from them since (10th January)
- We tracked down the cause of the blacklist, it is happening because we are a 
victim of a TCP-AMP DDoS Attack.

The TCP-AMP Attack works like this;
- The attacker spoofs our server's ip, to thousands of services running a web 
server on port 80.
- These web services, then respond back to our server - thinking we're the one 
that made a request.

It seems like hundreds of these web servers that are receiving those spoofed 
requests from our IP, runs CSF or some kind of firewall system that 
automatically detects many connections to their web server. And automatically 
reports it to multiple different services, which ends up in us getting 
blacklisted.

Imperva, which is what Sony uses are importing blacklists from multiple 
different trusted databases.. Which is how we're getting banned by Sony. Which 
uses Imperva on all their services, as their web firewall.

The solution? There isn't really any. We are the victim here, the attackers are 
spoofing attacks from our IP's - and the services that are reflecting back to 
us, are reporting us for "attacking" them even though the requests are fully 
spoofed.
On 10.01.2020 19:51:10, Mark Milhollan mailto:m...@pixelgate.net]> wrote:
On Fri, 10 Jan 2020, Octolus Development wrote:

>I run a VPN Business dedicated to protecting clients from DDoS Attacks
>that happens "all day long" on PlayStation Network. We need our VPN to
>work on PSN, all our customers uses their service.
>
>They are still investigating the problem, let's see what the results will be.

Does your VPN provide what Sony cares about, which I do not know but
might include things like only exiting CH customers via CH end-points /
proxies so that non-CH (e.g., UK) only content can be blocked -- if not
you may never gain traction with them and even if you do it might be
quite hard to prove to their satisfaction.


/mark

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Damian Menscher via NANOG]

One approach would be to trace the true origin of the spoofed packets, and
get it filtered by their upstream.  To that end, can you share some details
of a recent tcp-amp attack?  Eg, the victim IP and a timestamp?

Damian

On Mon, Jan 27, 2020 at 12:06 PM Octolus Development 
wrote:

> Hey everyone, decided to do a small update for those who are interested.
>
> - Sony reached out to me, they whitelisted our IP's temporarily but then
> removed them. We have not heard from them since (10th January)
> - We tracked down the cause of the blacklist, it is happening because we
> are a victim of a TCP-AMP DDoS Attack.
>
> The TCP-AMP Attack works like this;
> - The attacker spoofs our server's ip, to thousands of services running a
> web server on port 80.
> - These web services, then respond back to our server - thinking we're the
> one that made a request.
>
> It seems like hundreds of these web servers that are receiving those
> spoofed requests from our IP, runs CSF or some kind of firewall system that
> automatically detects many connections to their web server. And
> automatically reports it to multiple different services, which ends up in
> us getting blacklisted.
>
> Imperva, which is what Sony uses are importing blacklists from multiple
> different trusted databases.. Which is how we're getting banned by Sony.
> Which uses Imperva on all their services, as their web firewall.
>
> The solution? There isn't really any. We are the victim here, the
> attackers are spoofing attacks from our IP's - and the services that are
> reflecting back to us, are reporting us for "attacking" them even though
> the requests are fully spoofed.
>
> On 10.01.2020 19:51:10, Mark Milhollan  wrote:
> On Fri, 10 Jan 2020, Octolus Development wrote:
>
> >I run a VPN Business dedicated to protecting clients from DDoS Attacks
> >that happens "all day long" on PlayStation Network. We need our VPN to
> >work on PSN, all our customers uses their service.
> >
> >They are still investigating the problem, let's see what the results will
> be.
>
> Does your VPN provide what Sony cares about, which I do not know but
> might include things like only exiting CH customers via CH end-points /
> proxies so that non-CH (e.g., UK) only content can be blocked -- if not
> you may never gain traction with them and even if you do it might be
> quite hard to prove to their satisfaction.
>
>
> /mark
>
>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

Hey everyone, decided to do a small update for those who are interested.

- Sony reached out to me, they whitelisted our IP's temporarily but then 
removed them. We have not heard from them since (10th January)
- We tracked down the cause of the blacklist, it is happening because we are a 
victim of a TCP-AMP DDoS Attack.

The TCP-AMP Attack works like this;
- The attacker spoofs our server's ip, to thousands of services running a web 
server on port 80.
- These web services, then respond back to our server - thinking we're the one 
that made a request.

It seems like hundreds of these web servers that are receiving those spoofed 
requests from our IP, runs CSF or some kind of firewall system that 
automatically detects many connections to their web server. And automatically 
reports it to multiple different services, which ends up in us getting 
blacklisted.

Imperva, which is what Sony uses are importing blacklists from multiple 
different trusted databases.. Which is how we're getting banned by Sony. Which 
uses Imperva on all their services, as their web firewall.

The solution? There isn't really any. We are the victim here, the attackers are 
spoofing attacks from our IP's - and the services that are reflecting back to 
us, are reporting us for "attacking" them even though the requests are fully 
spoofed.
On 10.01.2020 19:51:10, Mark Milhollan  wrote:
On Fri, 10 Jan 2020, Octolus Development wrote:

>I run a VPN Business dedicated to protecting clients from DDoS Attacks
>that happens "all day long" on PlayStation Network. We need our VPN to
>work on PSN, all our customers uses their service.
>
>They are still investigating the problem, let's see what the results will be.

Does your VPN provide what Sony cares about, which I do not know but
might include things like only exiting CH customers via CH end-points /
proxies so that non-CH (e.g., UK) only content can be blocked -- if not
you may never gain traction with them and even if you do it might be
quite hard to prove to their satisfaction.


/mark

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

It's not about that this thread is about, nor why it is blacklisted. There is 
an exploit (DDoS) that will ban even home connections from their networks.
On 10.01.2020 19:51:10, Mark Milhollan  wrote:
On Fri, 10 Jan 2020, Octolus Development wrote:

>I run a VPN Business dedicated to protecting clients from DDoS Attacks
>that happens "all day long" on PlayStation Network. We need our VPN to
>work on PSN, all our customers uses their service.
>
>They are still investigating the problem, let's see what the results will be.

Does your VPN provide what Sony cares about, which I do not know but
might include things like only exiting CH customers via CH end-points /
proxies so that non-CH (e.g., UK) only content can be blocked -- if not
you may never gain traction with them and even if you do it might be
quite hard to prove to their satisfaction.


/mark

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Mark Milhollan]

On Fri, 10 Jan 2020, Octolus Development wrote:

I run a VPN Business dedicated to protecting clients from DDoS Attacks 
that happens "all day long" on PlayStation Network. We need our VPN to 
work on PSN, all our customers uses their service.


They are still investigating the problem, let's see what the results will be.


Does your VPN provide what Sony cares about, which I do not know but 
might include things like only exiting CH customers via CH end-points / 
proxies so that non-CH (e.g., UK) only content can be blocked -- if not 
you may never gain traction with them and even if you do it might be 
quite hard to prove to their satisfaction.



/mark

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

Exactly that.

I run a VPN Business dedicated to protecting clients from DDoS Attacks that 
happens "all day long" on PlayStation Network. We need our VPN to work on PSN, 
all our customers uses their service.

They are still investigating the problem, let's see what the results will be.
On 10.01.2020 10:20:08, Radu-Adrian Feurdean  
wrote:


On Thu, Jan 9, 2020, at 00:05, Keith Medcalf wrote:
>
> On Wednesday, 8 January, 2020 14:35. Octolus Development
> wrote:
>
> Stop doing business with Criminal Organizations (SONY). Problem solved.

You (as a provider) may not do any business with them, but your customers may, 
and will yell at you if/when it doesn't work.

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Radu-Adrian Feurdean]

On Thu, Jan 9, 2020, at 00:05, Keith Medcalf wrote:
> 
> On Wednesday, 8 January, 2020 14:35. Octolus Development 
>  wrote:
> 
> Stop doing business with Criminal Organizations (SONY).  Problem solved.

You (as a provider) may not do any business with them, but your customers may, 
and will yell at you if/when it doesn't work. 

RE: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Keith Medcalf]

On Wednesday, 8 January, 2020 14:35. Octolus Development  
wrote:

>Sony are currently "looking into it" but they do not seem to care much. I
>am a customer of Sony, I own PlayStation consoles and I am not able to
>access their service. They tell me to change my IP instead of solving the
>actual problem with this exploit.

Stop doing business with Criminal Organizations (SONY).  Problem solved.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

No, that is not why. 

We deployed a brand new IP, and it was banned 24-48 hours after the DDoS Attack 
was hit. The other IP that was never attacked, never got banned. We've tracked 
down the issue and confirmed it is the DDoS Attack coming from Akamai and 
Imperva's IP's that are banning us from their network somehow.

Sony are currently "looking into it" but they do not seem to care much. I am a 
customer of Sony, I own PlayStation consoles and I am not able to access their 
service. They tell me to change my IP instead of solving the actual problem 
with this exploit.
On 08.01.2020 22:29:12, Töma Gavrichenkov  wrote:
Peace,

Hey, your website says you're the developer of OctoVPN which is a VPN solution.

*This* might be effectively the reason of blocking, not a DDoS. Gaming and 
streaming services typically discourage VPN traffic because a) VPNs help to 
circumvent regional restrictions, b) miscreants use VPNs to hide while breaking 
into systems, c) other reasons.

Imperva is a Web app firewall solution much more than it is a DDoS protection 
device after all.

--
Töma


On Wed, Jan 8, 2020, 11:56 PM Octolus Development mailto:ad...@octolus.net]> wrote:

The error it displays on both Sony, and Imperva (and whatever websites who uses 
their protection). So this problem is not with Sony, but rather Imperva 
blocking IP's wildly.

The IP's are not blocks, it's a single IP and the block/blacklist lifts after 7 
days.


Error that appears on those websites, including imperva themself:

This page can't be displayed. Contact support for additional information.
The incident ID is: N/A.

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Töma Gavrichenkov]

Peace,

Hey, your website says you're the developer of OctoVPN which is a VPN
solution.

*This* might be effectively the reason of blocking, not a DDoS.  Gaming and
streaming services typically discourage VPN traffic because a) VPNs help to
circumvent regional restrictions, b) miscreants use VPNs to hide while
breaking into systems, c) other reasons.

Imperva is a Web app firewall solution much more than it is a DDoS
protection device after all.

--
Töma

On Wed, Jan 8, 2020, 11:56 PM Octolus Development  wrote:

> The error it displays on both Sony, and Imperva (and whatever websites who
> uses their protection). So this problem is not with Sony, but rather
> Imperva blocking IP's wildly.
>
> The IP's are not blocks, it's a single IP and the block/blacklist lifts
> after 7 days.
>
> Error that appears on those websites, including imperva themself:
> This page can't be displayed. Contact support for additional information.
> The incident ID is: N/A.
>
>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Hugo Slabbert]

You're getting hit with something reported as "TCP-AMP" (I'm assuming TCP
amplification; not sure what's classifying this for you) on your IP
address, and then shortly thereafter that IP address is blocked from
Imperva's services?  Are the source IP addresses in those "TCP-AMP" attacks
Sony IP addresses?  That does start to sound like someone is bouncing TCP
off of you (send you a SYN with spoofed Sony source IP address; have your
devices respond with TCP SYN+ACK).  It would still be unwise of Imperva to
flag the address, but that could be the mechanism here, perhaps?

-- 
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal


On Wed, Jan 8, 2020 at 1:06 PM Octolus Development 
wrote:

> The thing is.
>
> I can buy a brand new IP.
> It works fine on the websites.
>
> The moment it's hit by a DDoS Attack (TCP-AMP) .. Only 24-48 hours later,
> it's banned from all Inculpsa's aka Imperva's websites :) so something is
> horrible done wrong on their end and they're not interested in helping..
> neither is Sony.
>
> On 08.01.2020 20:26:14, Lukas Tribus  wrote:
> Hello,
>
>
> On Wed, 8 Jan 2020 at 18:26, Octolus Development wrote:
> >
> > The error it displays on both Sony, and Imperva (and whatever websites
> who uses their protection). So this problem is not with Sony, but rather
> Imperva blocking IP's wildly.
> >
> > The IP's are not blocks, it's a single IP and the block/blacklist lifts
> after 7 days.
> >
> > Error that appears on those websites, including imperva themself:
> > This page can't be displayed. Contact support for additional
> information.
> > The incident ID is: N/A.
>
> That looks like a WAF, so reflection/spoofing is probably *not* the
> reason your IPs ended up on those lists.
>
> I assume what you see looks similar to what this returns (a request
> that looks like a sql injection):
>
> https://www.imperva.com/bla%20OR%201=1
>
>
> A few of those hits, or crossing a certain threshold per IP (very easy
> for CGN IPs), and your IP probably ends up on those lists I guess. And
> of course those endpoints are not IPv6 enabled, so behind CGN the end
> customers shares his luck with it's neighbors even if everything is
> IPv6 enabled.
>
>
> Imperva, is that the "cybersecurity firm" that was breached 6 months ago?
>
>
> https://krebsonsecurity.com/2019/08/cybersecurity-firm-imperva-discloses-breach/
>
>
>
> Lukas
>
>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

The thing is.

I can buy a brand new IP.
It works fine on the websites.

The moment it's hit by a DDoS Attack (TCP-AMP) .. Only 24-48 hours later, it's 
banned from all Inculpsa's aka Imperva's websites :) so something is horrible 
done wrong on their end and they're not interested in helping.. neither is Sony.
On 08.01.2020 20:26:14, Lukas Tribus  wrote:
Hello,


On Wed, 8 Jan 2020 at 18:26, Octolus Development wrote:
>
> The error it displays on both Sony, and Imperva (and whatever websites who 
> uses their protection). So this problem is not with Sony, but rather Imperva 
> blocking IP's wildly.
>
> The IP's are not blocks, it's a single IP and the block/blacklist lifts after 
> 7 days.
>
> Error that appears on those websites, including imperva themself:
> This page can't be displayed. Contact support for additional information.
> The incident ID is: N/A.

That looks like a WAF, so reflection/spoofing is probably *not* the
reason your IPs ended up on those lists.

I assume what you see looks similar to what this returns (a request
that looks like a sql injection):

https://www.imperva.com/bla%20OR%201=1


A few of those hits, or crossing a certain threshold per IP (very easy
for CGN IPs), and your IP probably ends up on those lists I guess. And
of course those endpoints are not IPv6 enabled, so behind CGN the end
customers shares his luck with it's neighbors even if everything is
IPv6 enabled.


Imperva, is that the "cybersecurity firm" that was breached 6 months ago?

https://krebsonsecurity.com/2019/08/cybersecurity-firm-imperva-discloses-breach/



Lukas

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Lukas Tribus]

Hello,


On Wed, 8 Jan 2020 at 18:26, Octolus Development  wrote:
>
> The error it displays on both Sony, and Imperva (and whatever websites who 
> uses their protection). So this problem is not with Sony, but rather Imperva 
> blocking IP's wildly.
>
> The IP's are not blocks, it's a single IP and the block/blacklist lifts after 
> 7 days.
>
> Error that appears on those websites, including imperva themself:
> This page can't be displayed. Contact support for additional information.
> The incident ID is: N/A.

That looks like a WAF, so reflection/spoofing is probably *not* the
reason your IPs ended up on those lists.

I assume what you see looks similar to what this returns (a request
that looks like a sql injection):

https://www.imperva.com/bla%20OR%201=1


A few of those hits, or crossing a certain threshold per IP (very easy
for CGN IPs), and your IP probably ends up on those lists I guess. And
of course those endpoints are not IPv6 enabled, so behind CGN the end
customers shares his luck with it's neighbors even if everything is
IPv6 enabled.


Imperva, is that the "cybersecurity firm" that was breached 6 months ago?

https://krebsonsecurity.com/2019/08/cybersecurity-firm-imperva-discloses-breach/



Lukas

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

The error it displays on both Sony, and Imperva (and whatever websites who uses 
their protection). So this problem is not with Sony, but rather Imperva 
blocking IP's wildly.

The IP's are not blocks, it's a single IP and the block/blacklist lifts after 7 
days. 


Error that appears on those websites, including imperva themself:

This page can't be displayed. Contact support for additional information.
The incident ID is: N/A.




On 08.01.2020 18:22:09, Lukas Tribus  wrote:
Hello,

On Wed, 8 Jan 2020 at 16:53, Octolus Development wrote:
> But here's the funny part, when connecting to their own website imperva.com
> from those IP's -- we are getting the exactly same error code that Sony are
> returning.

And what error code / full error is that *exactly*?


I assumed we where talking about a complete IP block here (no response
at all), apparently that is not the case.



Lukas

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Lukas Tribus]

Hello,

On Wed, 8 Jan 2020 at 16:53, Octolus Development  wrote:
> But here's the funny part, when connecting to their own website imperva.com
> from those IP's -- we are getting the exactly same error code that Sony are
> returning.

And what error code / full error is that *exactly*?


I assumed we where talking about a complete IP block here (no response
at all), apparently that is not the case.



Lukas

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

Tracked it down.
Sony are using "Imperva" which is former Incapsula.


The IP's that was attacked by this DDoS Attack, have been added to their 
threatradar, their phone support (Imperva) literally hangs up the call when you 
try to question if they can provide more information about why the IP's are 
blocked. They said since I am not Sony, I can not request information.

But here's the funny part, when connecting to their own website imperva.com 
from those IP's -- we are getting the exactly same error code that Sony are 
returning. Indicating that Imperva is the main problem here, they seem to block 
spoofed IP's.
On 07.01.2020 21:20:08, Hugo Slabbert  wrote:
Well, in almost any* case blacklisting reflection vectors by IP is an insanely 
bad practice.
* — I can *think* of a use case when this could be an appropriate solution (I 
recall Netscout/Arbor once had such a use case), but in the overwhelming 
majority of incidents it is absolutely not, and you need to be one hundred 
percent sure you know what you're doing.

Agreed; drop the vector not the address, but was looking to just clarify the 
direction of things a bit.

NB: I have just checked the IP addresses the OP has provided me with
(offlist) against our database of known reflection sources, and I
confirm that none of those seem to ever host UDP software vulnerable
to amplification

ty; good to know.

They decide to completely ignore the emails, it seems like we're being either 
spoofed or people are attacking us with Sony's IP space.

So you're getting inbound traffic that has Sony IP space source addresses in 
it? That does start to sound more like people trying to reflect off of you to 
Sony. What's the protocol and destination ports on the traffic you're receiving 
with Sony source addresses (and the source ports for good measure, if they're 
fairly consistent)?

--
Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com [mailto:h...@slabnet.com]
pgp key: B178313E | also on Signal


On Tue, Jan 7, 2020 at 10:54 AM Töma Gavrichenkov mailto:xima...@gmail.com]> wrote:

Peace,

On Tue, Jan 7, 2020 at 9:10 PM Hugo Slabbert mailto:h...@slabnet.com]> wrote:
> And you're sure that you are the reflection target not the reflection vector?

NB: I have just checked the IP addresses the OP has provided me with
(offlist) against our database of known reflection sources, and I
confirm that none of those seem to ever host UDP software vulnerable
to amplification.

--
Töma

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Hugo Slabbert]

>
> Well, in almost any* case blacklisting reflection vectors by IP is an
> insanely bad practice.
> * — I can *think* of a use case when this could be an appropriate solution
> (I recall Netscout/Arbor once had such a use case), but in the overwhelming
> majority of incidents it is absolutely not, and you need to be one hundred
> percent sure you know what you're doing.


Agreed; drop the vector not the address, but was looking to just clarify
the direction of things a bit.

NB: I have just checked the IP addresses the OP has provided me with
> (offlist) against our database of known reflection sources, and I
> confirm that none of those seem to ever host UDP software vulnerable
> to amplification


ty; good to know.

They decide to completely ignore the emails, it seems like we're being
> either spoofed *or people are attacking us with Sony's IP space*.


So you're getting inbound traffic that has Sony IP space source addresses
in it?  That does start to sound more like people trying to reflect off of
you to Sony.  What's the protocol and destination ports on the traffic
you're receiving with Sony source addresses (and the source ports for good
measure, if they're fairly consistent)?

-- 
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal


On Tue, Jan 7, 2020 at 10:54 AM Töma Gavrichenkov  wrote:

> Peace,
>
> On Tue, Jan 7, 2020 at 9:10 PM Hugo Slabbert  wrote:
> > And you're sure that you are the reflection target not the reflection
> vector?
>
> NB: I have just checked the IP addresses the OP has provided me with
> (offlist) against our database of known reflection sources, and I
> confirm that none of those seem to ever host UDP software vulnerable
> to amplification.
>
> --
> Töma
>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Töma Gavrichenkov]

Peace,

On Tue, Jan 7, 2020 at 9:10 PM Hugo Slabbert  wrote:
> And you're sure that you are the reflection target not the reflection vector?

NB: I have just checked the IP addresses the OP has provided me with
(offlist) against our database of known reflection sources, and I
confirm that none of those seem to ever host UDP software vulnerable
to amplification.

--
Töma

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Octolus Development]

No, that's only for "Account Takeover".. And those problems we've solved. That 
was false reports, and we got whitelisted.

However with this issue? They decide to completely ignore the emails, it seems 
like we're being either spoofed or people are attacking us with Sony's IP 
space. What happens, is really difficult to determine without some contact with 
Sony to confirm what's the real problem. But that seems impossible now.
On 07.01.2020 19:16:10, Josh Luthman  wrote:
To be fair they do contact you. It's an automated process that's done daily and 
it has a light amount of information.

The rest is totally accurate - the Playstation network stuff is an absolute 
joke (think back to how they were down for MONTHS).


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Tue, Jan 7, 2020 at 1:14 PM Tony Wicks mailto:t...@wicks.co.nz]> wrote:

Good luck! I’ve dealt with such PSN IP blocking issues for several years and 
have found that Sony is the absolute worst possible gaming/content provider 
I’ve ever dealt with. One company I worked at had to threaten legal action as 
PSN would block CGN IPv4 addresses on their network and then tell customers to 
contact the ISP as it’s the ISP’s fault. At the same time PSN would provide no 
useful or actionable information to the ISP as to why they has implemented 
almost random IP blocking on their network. Not once was any issue raised in 
regard to their biggest competitor. The sheer arrogance shown by their 
management at the time was infuriating, it was a you are not big enough to 
waste our precious time on attitude.
On Mon, Jan 6, 2020 at 1:27 PM Octolus Development mailto:ad...@octolus.net]> wrote:
Hi all,
We've been trying to get in contact with Sony and/or Akamai to resolve an IP 
blacklisting issue.
Support is not useful, and our customers are complaining.
If anyone has a POC for somebody over at Sony or PSN who can help us resolve 
these issues, it would be much appreciated!

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Töma Gavrichenkov]

Peace,

On Tue, Jan 7, 2020, 9:10 PM Hugo Slabbert  wrote:

> And you're sure that you are the reflection target not the reflection
> vector?
>

Well, in almost any* case blacklisting reflection vectors by IP is an
insanely bad practice.

* — I can *think* of a use case when this could be an appropriate solution
(I recall Netscout/Arbor once had such a use case), but in the overwhelming
majority of incidents it is absolutely not, and you need to be one hundred
percent sure you know what you're doing.

--
Töma

>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Josh Luthman]

To be fair they do contact you.  It's an automated process that's done
daily and it has a light amount of information.

The rest is totally accurate - the Playstation network stuff is an absolute
joke (think back to how they were down for MONTHS).

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Tue, Jan 7, 2020 at 1:14 PM Tony Wicks  wrote:

> Good luck! I’ve dealt with such PSN IP blocking issues for several years
> and have found that Sony is the absolute worst possible gaming/content
> provider I’ve ever dealt with. One company I worked at had to threaten
> legal action as PSN would block CGN IPv4 addresses on their network and
> then tell customers to contact the ISP as it’s the ISP’s fault. At the same
> time PSN would provide no useful or actionable information to the ISP as to
> why they has implemented almost random IP blocking on their network. Not
> once was any issue raised in regard to their biggest competitor. The sheer
> arrogance shown by their management at the time was infuriating, it was a
> you are not big enough to waste our precious time on attitude.
>
>
>
>
>
>
>
>
>
> On Mon, Jan 6, 2020 at 1:27 PM Octolus Development 
> wrote:
>
> Hi all,
>
>
>
> We've been trying to get in contact with Sony and/or Akamai to resolve an
> IP blacklisting issue.
>
>
>
> Support is not useful, and our customers are complaining.
>
>
>
> If anyone has a POC for somebody over at Sony or PSN who can help us
> resolve these issues, it would be much appreciated!
>
>
>
>

RE: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Tony Wicks]

Good luck! I’ve dealt with such PSN IP blocking issues for several years and 
have found that Sony is the absolute worst possible gaming/content provider 
I’ve ever dealt with. One company I worked at had to threaten legal action as 
PSN would block CGN IPv4 addresses on their network and then tell customers to 
contact the ISP as it’s the ISP’s fault. At the same time PSN would provide no 
useful or actionable information to the ISP as to why they has implemented 
almost random IP blocking on their network. Not once was any issue raised in 
regard to their biggest competitor. The sheer arrogance shown by their 
management at the time was infuriating, it was a you are not big enough to 
waste our precious time on attitude.

 

 

 

 

On Mon, Jan 6, 2020 at 1:27 PM Octolus Development mailto:ad...@octolus.net> > wrote:

Hi all,

 

We've been trying to get in contact with Sony and/or Akamai to resolve an IP 
blacklisting issue.

 

Support is not useful, and our customers are complaining. 

 

If anyone has a POC for somebody over at Sony or PSN who can help us resolve 
these issues, it would be much appreciated!

 

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Hugo Slabbert]

And you're sure that you are the reflection target not the reflection
vector?
As in it's definitely the case that you are the *target* here (your IP
addresses are being spoofed, and the reflection attack is hitting you)
rather than that someone is abusing endpoints in your network, i.e.
reflecting off of your endpoints with Sony's addresses as the spoofed
source such that Sony is getting targeted?

If the former: How is Sony involved there?  Are people spoofing your source
addresses and trying to reflect off of Sony?  Or how else did Sony catch
wind of it?

-- 
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal


On Tue, Jan 7, 2020 at 9:58 AM Töma Gavrichenkov  wrote:

> Peace,
>
> On Mon, Jan 6, 2020, 9:27 PM Octolus Development 
> wrote:
>
>> We're facing some reflected DDoS attacks, where the source address is
>> spoofed to appear to be our IPs, and as a result getting blacklisted.
>> Sony's support has told us to "change IPs"
>>
>
> Wait, are they blacklisting spoofed IP(v4?) addresses?  If so, this is
> hilarious.  When at some point they will finally blacklist the whole 0/0,
> the problem will be solved by itself.
>
> Still, are you completely sure this is the accurate description of what
> they are doing?
>
> --
> Töma
>
>>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Töma Gavrichenkov]

Peace,

On Mon, Jan 6, 2020, 9:27 PM Octolus Development  wrote:

> We're facing some reflected DDoS attacks, where the source address is
> spoofed to appear to be our IPs, and as a result getting blacklisted.
> Sony's support has told us to "change IPs"
>

Wait, are they blacklisting spoofed IP(v4?) addresses?  If so, this is
hilarious.  When at some point they will finally blacklist the whole 0/0,
the problem will be solved by itself.

Still, are you completely sure this is the accurate description of what
they are doing?

--
Töma

>

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Josh Luthman]

Went through this last year.  They simply didn't do anything productive.
You have to change IPs if you want a quick resolution.  They should email
the POC for the IP (I think towards the end of the day) as to what happened
and I believe a time frame when it will get resolved.

Hopefully someone with more than basic (or no) technical capacity can
contact you and fix this stupid problem, but I would not count on it =(

It is a Sony problem, not Akamai.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Mon, Jan 6, 2020 at 1:27 PM Octolus Development 
wrote:

> Hi all,
>
> We've been trying to get in contact with Sony and/or Akamai to resolve an
> IP blacklisting issue.
>
> Support is not useful, and our customers are complaining.
>
> If anyone has a POC for somebody over at Sony or PSN who can help us
> resolve these issues, it would be much appreciated!
>
> We're facing some reflected DDoS attacks, where the source address is
> spoofed to appear to be our IPs, and as a result getting blacklisted.
> Sony's support has told us to "change IPs", which just isn't realistic, so
> we're looking for someone actually at the NOC.
>
> Already been in touch with SNEI-NOC, which has completely ignored our
> emails. They only seem to respond to the normal "Account Takeover"
> requests, or whitelist requests. All of my IP's are already whitelisted,
> but there seems to be a DDoS Attack that will ban anyone's IP from
> Sony/PlayStation Network.
>
> Akamai's also been giving us the runaround, and told us it's purely a Sony
> problem, so we're trying to get to the right POC to get this issue resolved
>
> Thanks in advance!
>