On 27.01.2020 21:29:11, Damian Menscher <damian@google.com> wrote:
One approach would be to trace the true origin of the spoofed packets, and get it filtered by their upstream. To that end, can you share some details of a recent tcp-amp attack? Eg, the victim IP and a timestamp?DamianOn Mon, Jan 27, 2020 at 12:06 PM Octolus Development <admin@octolus.net> wrote:Hey everyone, decided to do a small update for those who are interested.- Sony reached out to me, they whitelisted our IP's temporarily but then removed them. We have not heard from them since (10th January)- We tracked down the cause of the blacklist, it is happening because we are a victim of a TCP-AMP DDoS Attack.The TCP-AMP Attack works like this;- The attacker spoofs our server's ip, to thousands of services running a web server on port 80.- These web services, then respond back to our server - thinking we're the one that made a request.It seems like hundreds of these web servers that are receiving those spoofed requests from our IP, runs CSF or some kind of firewall system that automatically detects many connections to their web server. And automatically reports it to multiple different services, which ends up in us getting blacklisted.Imperva, which is what Sony uses are importing blacklists from multiple different trusted databases.. Which is how we're getting banned by Sony. Which uses Imperva on all their services, as their web firewall.The solution? There isn't really any. We are the victim here, the attackers are spoofing attacks from our IP's - and the services that are reflecting back to us, are reporting us for "attacking" them even though the requests are fully spoofed.On 10.01.2020 19:51:10, Mark Milhollan <mlm@pixelgate.net> wrote:
On Fri, 10 Jan 2020, Octolus Development wrote:
>I run a VPN Business dedicated to protecting clients from DDoS Attacks
>that happens "all day long" on PlayStation Network. We need our VPN to
>work on PSN, all our customers uses their service.
>
>They are still investigating the problem, let's see what the results will be.
Does your VPN provide what Sony cares about, which I do not know but
might include things like only exiting CH customers via CH end-points /
proxies so that non-CH (e.g., UK) only content can be blocked -- if not
you may never gain traction with them and even if you do it might be
quite hard to prove to their satisfaction.
/mark