Dayjob recently got a report from compliance@tucows.com alleging that an old, historic bind9.tar.gz.asc (a plain-text checksum file) on ftp.isc.org is malware. It’s not. It’s a false positive.
Additionally, the URL they sent to vew the reporting material is http-only, and does not work, but it’s not hosted by tucows/hover, it’s hosted at http://url4091.abuse-report.pir.org, is http-only (what year is it?) and doesn’t work! Nor does that report actually come out and say what the file in question is, it’s only shown in an attached screenshot.
Given what recently happened to another important internet domain (one of our IP providers) being put on administrative hold due to basically one complaint of fraud, I am incredibly concerned.
I’ve been in touch with the registrar that holds our domain name about this (Hover/Tucows), and I’ve got a direct line with the CTO, but I need assurances that this will not lead to obnoxious actions, a week before Christmas.
-Dan
(From personal address, but with very much DayJob hat on)
There was also the attack on the Tor network a few months ago.
In that case I spoke to the “security” company that was sending the abuse notices to my provider - and they confirmed that they know the notices are bullshit, they acknowledge that if they cause financial losses I might be able to win damages in a lawsuit, and they will continue sending them anyway because they don’t care to update their policies.
Has this sort of thing always been a problem on the internet or is it a new attack vector?
It’s not a new vector, but it’s not super common either. I wrote about it back in August of 2022, Hetzner’s automated abuse system was being used as a denial of service vector, as the malicious actor just spoofed the victim IP(s) toward their network, and the abuse reports were automatically sent to the victim’s ISP. Enough reports and a lot of providers will nullroute the IP address.
I remember while delving into it there was some posts offering this exact service on various “hacking forums.”
I reached out to Hetzner multiple times, the highest point of contact I could reach was a “senior network engineer” who told me to disable spoofing on my network. Which of course, it already was, and that doesn’t stop other networks from spoofing our ranges… But I couldn’t ever get them to grasp the idea, to this day Hetzner abuse reports get immediately binned on our side.