Hi all,
We’ve been trying to get in contact with Sony and/or Akamai to resolve an IP blacklisting issue.
Support is not useful, and our customers are complaining.
If anyone has a POC for somebody over at Sony or PSN who can help us resolve these issues, it would be much appreciated!
We’re facing some reflected DDoS attacks, where the source address is spoofed to appear to be our IPs, and as a result getting blacklisted. Sony’s support has told us to “change IPs”, which just isn’t realistic, so we’re looking for someone actually at the NOC.
Already been in touch with SNEI-NOC, which has completely ignored our emails. They only seem to respond to the normal “Account Takeover” requests, or whitelist requests. All of my IP’s are already whitelisted, but there seems to be a DDoS Attack that will ban anyone’s IP from Sony/PlayStation Network.
Akamai’s also been giving us the runaround, and told us it’s purely a Sony problem, so we’re trying to get to the right POC to get this issue resolved
Thanks in advance!
Went through this last year. They simply didn’t do anything productive. You have to change IPs if you want a quick resolution. They should email the POC for the IP (I think towards the end of the day) as to what happened and I believe a time frame when it will get resolved.
Hopefully someone with more than basic (or no) technical capacity can contact you and fix this stupid problem, but I would not count on it =(
It is a Sony problem, not Akamai.
And you’re sure that you are the reflection target not the reflection vector?
As in it’s definitely the case that you are the target here (your IP addresses are being spoofed, and the reflection attack is hitting you) rather than that someone is abusing endpoints in your network, i.e. reflecting off of your endpoints with Sony’s addresses as the spoofed source such that Sony is getting targeted?
If the former: How is Sony involved there? Are people spoofing your source addresses and trying to reflect off of Sony? Or how else did Sony catch wind of it?
Good luck! I’ve dealt with such PSN IP blocking issues for several years and have found that Sony is the absolute worst possible gaming/content provider I’ve ever dealt with. One company I worked at had to threaten legal action as PSN would block CGN IPv4 addresses on their network and then tell customers to contact the ISP as it’s the ISP’s fault. At the same time PSN would provide no useful or actionable information to the ISP as to why they has implemented almost random IP blocking on their network. Not once was any issue raised in regard to their biggest competitor. The sheer arrogance shown by their management at the time was infuriating, it was a you are not big enough to waste our precious time on attitude.
To be fair they do contact you. It’s an automated process that’s done daily and it has a light amount of information.
The rest is totally accurate - the Playstation network stuff is an absolute joke (think back to how they were down for MONTHS).
No, that’s only for “Account Takeover”… And those problems we’ve solved. That was false reports, and we got whitelisted.
However with this issue? They decide to completely ignore the emails, it seems like we’re being either spoofed or people are attacking us with Sony’s IP space. What happens, is really difficult to determine without some contact with Sony to confirm what’s the real problem. But that seems impossible now.
Well, in almost any* case blacklisting reflection vectors by IP is an insanely bad practice.
- — I can think of a use case when this could be an appropriate solution (I recall Netscout/Arbor once had such a use case), but in the overwhelming majority of incidents it is absolutely not, and you need to be one hundred percent sure you know what you’re doing.
Agreed; drop the vector not the address, but was looking to just clarify the direction of things a bit.
NB: I have just checked the IP addresses the OP has provided me with
(offlist) against our database of known reflection sources, and I
confirm that none of those seem to ever host UDP software vulnerable
to amplification
ty; good to know.
They decide to completely ignore the emails, it seems like we’re being either spoofed or people are attacking us with Sony’s IP space.
So you’re getting inbound traffic that has Sony IP space source addresses in it? That does start to sound more like people trying to reflect off of you to Sony. What’s the protocol and destination ports on the traffic you’re receiving with Sony source addresses (and the source ports for good measure, if they’re fairly consistent)?
Tracked it down.
Sony are using “Imperva” which is former Incapsula.
The IP’s that was attacked by this DDoS Attack, have been added to their threatradar, their phone support (Imperva) literally hangs up the call when you try to question if they can provide more information about why the IP’s are blocked. They said since I am not Sony, I can not request information.
But here’s the funny part, when connecting to their own website imperva.com from those IP’s – we are getting the exactly same error code that Sony are returning. Indicating that Imperva is the main problem here, they seem to block spoofed IP’s.
The error it displays on both Sony, and Imperva (and whatever websites who uses their protection). So this problem is not with Sony, but rather Imperva blocking IP’s wildly.
The IP’s are not blocks, it’s a single IP and the block/blacklist lifts after 7 days.
Error that appears on those websites, including imperva themself:
This page can’t be displayed. Contact support for additional information.
The incident ID is: N/A.
Hello,
The error it displays on both Sony, and Imperva (and whatever websites who uses their protection). So this problem is not with Sony, but rather Imperva blocking IP's wildly.
The IP's are not blocks, it's a single IP and the block/blacklist lifts after 7 days.
Error that appears on those websites, including imperva themself:
This page can't be displayed. Contact support for additional information.
The incident ID is: N/A.
That looks like a WAF, so reflection/spoofing is probably *not* the
reason your IPs ended up on those lists.
I assume what you see looks similar to what this returns (a request
that looks like a sql injection):
https://www.imperva.com/bla%20OR%201=1
A few of those hits, or crossing a certain threshold per IP (very easy
for CGN IPs), and your IP probably ends up on those lists I guess. And
of course those endpoints are not IPv6 enabled, so behind CGN the end
customers shares his luck with it's neighbors even if everything is
IPv6 enabled.
Imperva, is that the "cybersecurity firm" that was breached 6 months ago?
https://krebsonsecurity.com/2019/08/cybersecurity-firm-imperva-discloses-breach/
Lukas
The thing is.
I can buy a brand new IP.
It works fine on the websites.
The moment it’s hit by a DDoS Attack (TCP-AMP) … Only 24-48 hours later, it’s banned from all Inculpsa’s aka Imperva’s websites 
so something is horrible done wrong on their end and they’re not interested in helping… neither is Sony.
You’re getting hit with something reported as “TCP-AMP” (I’m assuming TCP amplification; not sure what’s classifying this for you) on your IP address, and then shortly thereafter that IP address is blocked from Imperva’s services? Are the source IP addresses in those “TCP-AMP” attacks Sony IP addresses? That does start to sound like someone is bouncing TCP off of you (send you a SYN with spoofed Sony source IP address; have your devices respond with TCP SYN+ACK). It would still be unwise of Imperva to flag the address, but that could be the mechanism here, perhaps?
Peace,
Hey, your website says you’re the developer of OctoVPN which is a VPN solution.
This might be effectively the reason of blocking, not a DDoS. Gaming and streaming services typically discourage VPN traffic because a) VPNs help to circumvent regional restrictions, b) miscreants use VPNs to hide while breaking into systems, c) other reasons.
Imperva is a Web app firewall solution much more than it is a DDoS protection device after all.
No, that is not why.
We deployed a brand new IP, and it was banned 24-48 hours after the DDoS Attack was hit. The other IP that was never attacked, never got banned. We’ve tracked down the issue and confirmed it is the DDoS Attack coming from Akamai and Imperva’s IP’s that are banning us from their network somehow.
Sony are currently “looking into it” but they do not seem to care much. I am a customer of Sony, I own PlayStation consoles and I am not able to access their service. They tell me to change my IP instead of solving the actual problem with this exploit.
Stop doing business with Criminal Organizations (SONY). Problem solved.
You (as a provider) may not do any business with them, but your customers may, and will yell at you if/when it doesn't work.