Hi nanog,
Some of you might have seen
https://delroth.net/posts/spoofed-mass-scan-abuse/ circulating last
week (it was also sent here in reply to someone who received abuse
complaints from their ISP).
The TL;DR is that some previously unknown company with a fancy looking
domain name has started noticing the background noise on the internet
and is sending automated abuse complaints to any owner of a source IP
sending a SYN packet to port 22 on their network. They're not doing
any filtering to try to prevent spoofed source addresses, and at this
point there's plenty of evidence that they are seeing mostly spoofed
src IPs, then sending abuse reports to a completely uninvolved owner
of the IP.
I've recently been in communication with that company. They sent me an
email trying to get "advice" from me about how to not send abuse
complaints to the whole internet, while ignoring the obvious answer of
"don't mass send automated abuse complaints based on no evidence of
abuse and no evidence of who sent you traffic". They're also making
wild claims in their email to me, like, I quote, seeing "1.3 billion
attacks logged in the past 24 hours". They're saying that they act on
data sources like "we query the VirusTotal API for the source IP and
it shows us it's infected with malware".
If you're a NOC or someone handling abuse complaints for an ISP or a
hosting provider, this is my plea to you: please send abuse reports
from "watchdogcyberdefense.com" to your spam box until they understand
1. that a TCP SYN packet is spoofable; 2. that they're harming the
internet through reducing trust in abuse complaints by sending so many
false positives.
I've myself had interactions with both Hetzner and Linode's abuse
team, both of them have been top notch and understood what they're
likely dealing with, but having to explain to every single ISP what's
going on while sitting in the equivalent of an interrogation room
threatened with a service suspension isn't a very comfortable
situation.
Thank you in advance,
Best,
There are tons of networks out there that will automatically send an email to abuse records in whois based on fairly braindead criteria. Sadly, this has resulted in abuse contacts being increasingly useless since large hosting providers get such a flood of garbage that they can't actually look into it. Even better, most of the networks sending this garbage can't be bothered to respond when you ask for more information, making it pretty clear they don't actually care about the abuse they're supposedly notifying you of.
Over the years I've started routing any abuse emails from networks who don't bother to respond to requests for further info to /dev/null. It has basically removed all the garbage and leaves an abuse contact that can actually handle real abuse reports.
Matt
Hetzner’s automated abuse system is just as terrible. I did a write up on it a couple years ago, when it was being sold as a DoS method on certain nefarious forums, the malicious actor repeatedly spoofs your IP/ranges toward Hetzner ranges, generating abuse reports to your ISP, until your ISP nullroutes/suspends.
We immediately bin anything that hits our abuse mailbox from Hetzner since then, because it got to the point that daily we were receiving obviously spoofed logs of UDP traffic.
I tried to climb the ladder of bureaucracy at Hetzner, the highest point I was able to reach was a “senior network engineer,” who told me to disable spoofing on my network, but could not comprehend that disabling spoofing on my network does not prevent other networks from spoofing our IPs.
So, who here remembers “BlackICE Defender”?
It was MS Windows software which would watch for and protect against “attacks”, draw pretty charts and graphs, and also “report the attack to the attackers ISP”.
They did improve slightly over time, but things which it initially viewed as an attack were nefarious things like “you sent me an ICMP echo-request”…
W
Aww BlackICE. I was talking to Robert not too long ago about this. A simpler time.
If someone sent a ping to one of my Windows machines it wouldn't
even be seen by Windows because each machine is behind it's own
separate hardware firewall that would receive and respond to the
ping. (I leave WAN ping enabled on the firewalls because I know
it's helpful to other internet users to test their connection.)
Of course I wouldn't buy junk software like that...
I can see where in a corporate environment someone might buy
and install it because it checks a box on their "security checklist"
or maybe an individual that doesn't understand computers very
well buying anything marketed as protecting their computer even
though they really have no idea what it's doing. (I do wonder
how many people have gotten computer viruses from malware
they downloaded that was masquerading as "security software".)
I do have to wonder how often some company installed it across their
whole corporate network and when one of their machines pinged
another one of their machines inside their network (using RFC 1918
address space) BlackIce Defender on the machine receiving the ping
would send an abuse report to abuse@iana.org. 