One approach would be to trace the true origin of the spoofed packets, and get it filtered by their upstream. To that end, can you share some details of a recent tcp-amp attack? Eg, the victim IP and a timestamp?
Damian On Mon, Jan 27, 2020 at 12:06 PM Octolus Development <ad...@octolus.net> wrote: > Hey everyone, decided to do a small update for those who are interested. > > - Sony reached out to me, they whitelisted our IP's temporarily but then > removed them. We have not heard from them since (10th January) > - We tracked down the cause of the blacklist, it is happening because we > are a victim of a TCP-AMP DDoS Attack. > > The TCP-AMP Attack works like this; > - The attacker spoofs our server's ip, to thousands of services running a > web server on port 80. > - These web services, then respond back to our server - thinking we're the > one that made a request. > > It seems like hundreds of these web servers that are receiving those > spoofed requests from our IP, runs CSF or some kind of firewall system that > automatically detects many connections to their web server. And > automatically reports it to multiple different services, which ends up in > us getting blacklisted. > > Imperva, which is what Sony uses are importing blacklists from multiple > different trusted databases.. Which is how we're getting banned by Sony. > Which uses Imperva on all their services, as their web firewall. > > The solution? There isn't really any. We are the victim here, the > attackers are spoofing attacks from our IP's - and the services that are > reflecting back to us, are reporting us for "attacking" them even though > the requests are fully spoofed. > > On 10.01.2020 19:51:10, Mark Milhollan <m...@pixelgate.net> wrote: > On Fri, 10 Jan 2020, Octolus Development wrote: > > >I run a VPN Business dedicated to protecting clients from DDoS Attacks > >that happens "all day long" on PlayStation Network. We need our VPN to > >work on PSN, all our customers uses their service. > > > >They are still investigating the problem, let's see what the results will > be. > > Does your VPN provide what Sony cares about, which I do not know but > might include things like only exiting CH customers via CH end-points / > proxies so that non-CH (e.g., UK) only content can be blocked -- if not > you may never gain traction with them and even if you do it might be > quite hard to prove to their satisfaction. > > > /mark > >