-1

I am currently operating a free VPN service and lately I've been getting a lot of abuse emails from the Sony Playstation network saying that there is brute forcing coming from my server IPs against their users account API.

Email Below:

To whom it may concern,

Pursuant to Sony Interactive Entertainment LLC ("SIE") corporate policy, the below IP addresses were blacklisted from using our services because SIE detected activity that is abusive to our network services. In our determination, the abusive activity was not related to velocity or volume (many users behind the same IP address, i.e. NAT), but matched the specific patterns of known abuse of our publicly available services. This abuse may be the result of a computer on your network that has been compromised and is participating in a botnet abuse of our services.

The following table of IP addresses, dates and times should help you correlate the origin of the abusive activity. The time stamps are approximate from our logs. The actual timing of the events depend on the signature matched. It is very likely to have occurred both before, during and following the times listed.

Approximate Time Range (UTC), IP Address, Reason 2017-04-17 08:22 ~ 2017-04-17 08:52 (UTC), , Account Takeover Attempts

It is most likely the attack traffic is directed at one of the following endpoints:

account.sonyentertainmentnetwork.com auth.np.ac.playstation.net auth.api.sonyentertainmentnetwork.com auth.api.np.ac.playstation.net

These endpoints on our network are resolved by Geo DNS, so the IP addresses they resolve to will depend on the originating IP address.

The destination port will be TCP 443.

Please take the necessary measures to correct the malicious activity from the above-listed IP addresses as soon as possible to avoid any further disruptions. If we were to remove any of these IP addresses from the blacklist and subsequent abusive activity is detected, the IP address will be promptly blacklisted again.

We thank you for your prompt attention to this matter. If you require assistance or additional information please contact snei-noc-abuse@am.sony.com and include the IP address in question.

Usually I could simply resolve their DNS and block their IPs in iptables so that the offending users cannot even connect to their API however they have mentioned they are using GEO DNS which makes it fairly impossible to pinpoint all of their IPs since you would have to resolve their DNS from all over the world to get them (even then it is just a guess if you have them all).

Do I have any other options to block the above hostnames which have GEO DNS?

samgreeneggsham
  • 1
  • 1
  • 1
  • 1
    You could of course simply ask the Sony NOC for the correct ip-ranges to block... – HBruijn Apr 26 '17 at 06:22
  • I have asked but instead they replied with this stating that they cannot give them because they do not know the IP ranges: `"Hello, The IP addresses for the end points are changed based on different region, and all of our endpoints are fronted by a third party globally distributed reverse proxy. That means we do not know or control the list of destination IP addresses. They are subject to change at any time based on the needs of the third party. So unfortunately we cannot tell you the list."` – samgreeneggsham Apr 26 '17 at 06:35

2 Answers2

1

Firewalling a geographically-distributed service is likely to be an impossible task, as Sony have mentioned - they use geographically-resolved DNS (as do most large organisations with global infrastructure) to direct customers at the endpoint closest to them.

My recommendation is to find which clients are directing traffic at those endpoints, and block them. Free or not, abuse should not be tolerated on any service.

Craig Watson
  • 9,370
  • 3
  • 30
  • 46
1

Providing a free VPN service, probably without checking the users, tends to cause this kind of problems. The big picture is that Sony Interactive Entertainment LLC may not be the only victim, but they are kind enough to inform you about the problem. If you just wish to solve the problem for them, they have already taken enough action by blocking your IP.

If you care about the reputation of your service and your IP / IP block, you should try to prevent abuse on a larger scale. As your server is not compromised, you can use itself to monitor the traffic. There are several open source intrusion detection tools, e.g. Snort, Suricata and Bro-IDS. Another option is to have some kind of unified threat management device UTM between your server and the Internet, automatically blocking malicious connections. Either way, these tools are not just to protect you from the wild Internet, but to protect the Internet from malicious activities that occurs through your service.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122