Yeah this type of attack is a pain in the ass to deal with. Attacker is spoofing your IP addresses to millions of random web servers all over the Internet that see it as a typical SYN Flood those with automated reporting are likely blowing up OVH's abuse@ making a pain for them as well. However, OVH likely could easily check netflow or some other audit means to see your server didn't actually send out SYN packets to these servers. They likely are able to confirm the influx of inbound SYN-ACK packets that can be up to six depending on the TCP/IP stack of the server. The others are correct if you send out TCP Reset rejections you can tare down these bad states on the victim reflector's side to avoid getting retry SYN-ACK's. At this point I would consider whatever IP that you have that's getting attacked as burned, you're best bet is to drop those affected subnets and get new ones and avoid getting them exposed to whoever is attacking you. Spoofing issues has been the bane of any operator for years, till all the ASN's are on board with proper anti spoofing, ddos abuse of spoofing will be on-going and always an issue. On Thu, 20 Feb 2020 at 15:18, Octolus Development <admin@octolus.net> wrote:
A very old attack method called TCP-AMP ( https://pastebin.com/jYhWdgHn ) has been getting really popular recently.
I've been a victim of it multiple times on many of my IP's and every time it happens - My IP's end up getting blacklisted in major big databases. We also receive tons of abuse reports for "Port Scanning".
Example of the reports we're getting: tcp: 51.81.XX.XX:19342 -> 209.208.XX.XX:80 (SYN_RECV) tcp: 51.81.XX.XX:14066 -> 209.208.XX.XX:80 (SYN_RECV)
OVH are threatening to kick us off their network, because we are victims of this attack. And requesting us to do something about it, despite the fact that there is nothing you can do when you are being victim of an DDoS Attack.
Anyone else had any problems with these kind of attacks?
The attack basically works like this; - The attacker scans the internet for TCP Services, i.e port 80. - The attacker then sends spoofed requests from our IP to these TCP Services, which makes the remote service attempt to connect to us to initiate the handshake.. This clearly fails. ... Which ends up with hundreds of request to these services, reporting us for "port flood".