I keep getting Account Takeover Attempt abuses on my Tor exit, and I'm not sure how to handle them:
It is most likely the attack traffic is directed at one of the following endpoints:
account.sonyentertainmentnetwork.com auth.np.ac.playstation.net auth.api.sonyentertainmentnetwork.com auth.api.np.ac.playstation.net
These endpoints on our network are resolved by Geo DNS, so the IP addresses they resolve to will depend on the originating IP address.
The destination port will be TCP 443.
I used 'dig' and 'ping' to see what IP address the 4 endpoints resolved as, and blocked the resulting addresses, but I'm still getting the abuse. The Whois records show Sony and PSN owning 63.x.x.x, 64.x.x.x, 68.x.x.x, and 108.x.x.x addresses, but the websites above resolve to 23.x.x.x, so either the lists are incomplete or I'm doing something wrong.
Any ideas?