The problem is that they are spoofing our IP, to millions of IP's running port 80.
Making upstream providers filter it is quite difficult, i don't know all the upstream providers are used. 

The main problem is honestly services that reports SYN_RECV as Port Flood, but there isn't much one can do about misconfigured firewalls.I am sure there is a decent amount of honeypots on the internet acting the same way, resulting us (the victims of the attack) getting blacklisted for 'sending' attacks.

On 28.01.2020 05:50:14, "Dobbins, Roland" <roland.dobbins@netscout.com> wrote:



On Jan 28, 2020, at 11:40, Dobbins, Roland <Roland.Dobbins@netscout.com> wrote:

And even if his network weren't on the receiving end of a reflection/amplification attack, OP could still see backscatter, as Jared indicated. 

In point of fact, if the traffic was low-volume, this might in fact be what he was seeing. 

--------------------------------------------

Roland Dobbins <roland.dobbins@netscout.com>