Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-24 Thread Bottiger
I thought you said this on your blog?  https://blog.octovpn.com/the-ddos-that-bans-you/ [https://blog.octovpn.com/the-ddos-that-bans-you/] "We are the first VPN on the market to come up with a solution for this, and that's why we are who we are. We're keeping our method completely private for no

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-21 Thread Tom Beecher
It is spoofing, but it is also absolutely amplification. Look at the preso that Damien linked : https://www.usenix.org/conference/woot14/workshop-program/presentation/kuhrer Hope that this doesn't become one of the 'services' that you provide! :) On Thu, Feb 20, 2020 at 6:40 PM Jean | ddostest.me

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-21 Thread Selphie Keller
Yeah this type of attack is a pain in the ass to deal with. Attacker is spoofing your IP addresses to millions of random web servers all over the Internet that see it as a typical SYN Flood those with automated reporting are likely blowing up OVH's abuse@ making a pain for them as well. However, O

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-21 Thread Denys Fedoryshchenko
Good luck responding to such SYN/ACK, when you get 10+Gbps of them (real case happened while ago with colleague). Sure those SYN/ACK are not from single location, and attackers might use whole /24 for SYN spoofing. On 2020-02-21 03:34, Amir Herzberg wrote: If I read your description correctly:

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-21 Thread Amir Herzberg
hhh well Damian, Ok, I guess a free service has some costs :) More seriously, did you try to follow up and explain how dropping your RST packets may be exactly the reason for the attacker to abuse your IP space for the attack? Also, you may ask the provider of the victim to block SYN packets from

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-20 Thread Damian Menscher via NANOG
Amir: you're exactly correct -- but since you asked, here's their answer from the last time I suggested they respond with RSTs: https://seclists.org/nanog/2020/Jan/612 Damian On Thu, Feb 20, 2020 at 5:36 PM Amir Herzberg wrote: > If I read your description correctly: > > - Attacker sends spoofe

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-20 Thread Damian Menscher via NANOG
On Thu, Feb 20, 2020 at 3:40 PM Jean | ddostest.me via NANOG < nanog@nanog.org> wrote: > It doesn't sound to be a real amplification.. If it is, can anyone provide > the amplification factor? 1x? > > It sounds more like a TCP spoofing. > Some reading for you: https://www.usenix.org/conference/woo

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-20 Thread Amir Herzberg
If I read your description correctly: - Attacker sends spoofed TCP SYN from your IP address(es) and different src ports, to some TCP servers (e.g. port 80) - TCP servers respond with SYN/ACK ; many servers resend the SYN/ACK hence amplification . - *** your system does not respond *** - Servers m

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-20 Thread Jean | ddostest.me via NANOG
It doesn't sound to be a real amplification.. If it is, can anyone provide the amplification factor? 1x? It sounds more like a TCP spoofing. Jean On 2020-02-20 18:22, Töma Gavrichenkov wrote: Peace, On Fri, Feb 21, 2020, 1:57 AM Filip Hruska > wrote: [..] OVH has

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-20 Thread Töma Gavrichenkov
Peace, On Fri, Feb 21, 2020, 1:57 AM Filip Hruska wrote: > [..] OVH has been offering DDOS protection capable of soaking up hundreds > of gigabits+ per second as a standard with all their services for a long > time > They only do it for common trivial vectors like UDP-based amplification — and o

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-20 Thread Filip Hruska
Hello, Since OVH has been offering DDOS protection capable of soaking up hundreds of gigabits+ per second as a standard with all their services for a long time, I'm assuming this is a miscommunication / standard support response. I would try to get in touch with the network team and include

Re: Forest HQ Has Received Your Message: Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-20 Thread Töma Gavrichenkov
Help saving precious resources by unsubscribing from the NANOG mailing list, or I will have to report the abuse. On Fri, Feb 21, 2020, 1:39 AM Electric Forest Festival < i...@electricforestfestival.com> wrote: > > *Electric Forest 2020 will take place on June 25-28, 2020.* > > Forest HQ has recei

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-20 Thread Töma Gavrichenkov
Peace, On Fri, Feb 21, 2020, 1:18 AM Octolus Development wrote: > OVH are threatening to kick us off their network, because we are victims > of this attack. > Most of the hosting companies will do that to you because you're causing degradation of service quality for other customers. Especially

TCP-AMP DDoS Attack - Fake abuse reports problem

2020-02-20 Thread Octolus Development
A very old attack method called TCP-AMP ( https://pastebin.com/jYhWdgHn [https://pastebin.com/jYhWdgHn] ) has been getting really popular recently.  I've been a victim of it multiple times on many of my IP's and every time it happens - My IP's end up getting blacklisted in major big databases. W