Trying to summarize here, this convo has been a bit disjointed. 

Is this an accurate summary?

- The malicious traffic with spoofed sources is targeting multiple different destinations.
- The aggregate of all those flows is causing Impervia to flag your IP range as a bad actor. 
- Sony uses Impervia blacklists, and since Impervia has flagged your space as bad, Sony is blocking you. 

If that is true, my advice would be to go right to Impervia. Explain the situation, and ask for their assistance in identifying and or/reaching out to the networks that they are detecting this spoofed traffic coming from. The backscatter, as Jared said earlier, could probably help you a bit too, but Impervia should be willing to assist. It's in their best interests to not have false positives, but who knows. 

On Tue, Jan 28, 2020 at 6:17 AM Octolus Development <admin@octolus.net> wrote:
The problem is that they are spoofing our IP, to millions of IP's running port 80.
Making upstream providers filter it is quite difficult, i don't know all the upstream providers are used. 

The main problem is honestly services that reports SYN_RECV as Port Flood, but there isn't much one can do about misconfigured firewalls.I am sure there is a decent amount of honeypots on the internet acting the same way, resulting us (the victims of the attack) getting blacklisted for 'sending' attacks.

On 28.01.2020 05:50:14, "Dobbins, Roland" <roland.dobbins@netscout.com> wrote:



On Jan 28, 2020, at 11:40, Dobbins, Roland <Roland.Dobbins@netscout.com> wrote:

And even if his network weren't on the receiving end of a reflection/amplification attack, OP could still see backscatter, as Jared indicated. 

In point of fact, if the traffic was low-volume, this might in fact be what he was seeing. 

--------------------------------------------

Roland Dobbins <roland.dobbins@netscout.com>