New on LowEndTalk? Please Register and read our Community Rules.
The World's Worst Abuse Support ISPs/ Port Scan / bad bots / Spoofing / Phishing / Spam
silicomnet
Member
Hello,
We report more than 10.000 (daily) abusers ips to abuseipdb.com
Our top 15:
1º DigitalOcean.com (40% India, 30% Singapore)
2º Microsoft
3º hostway.ru / beget.ru / smartdata.su (& Russia ISP)
4º Tencent (& China ISP)
5º des.capital (Netherlands)
6º Frantech.ca
7º inetmar.com (Turkey)
8º OVH
9º linode.com
10º amazon.com (40% east-2.compute.amazonaws.com)
11º hetzner.de (70% Finland)
12º superdata.vn (Vietnam)
13º deltacentric.com (India)
14º online.net
15º softlayer.com
Share your top15
Comments
Can you check that IP list against known tor nodes and you might find your answer.
This list does not include Tor exit nodes.
Block ranges, rather than report ip. Countries like turkey, vietnam entire subnets can be blocked without to much thinking. I block entire countries to slow down abuse rate. But still malice actors probing for vulns.
Where china??? It is definitely top1
DigitalOcean processes abuse complaints if sent in XARF
OVH processes abuse complaints too, just use their abuse form (sumbission can be automated)
Amazon processes complaints too and reacts accordingly to ALL complaints we are sending them! They all processed by humans.
Hetzner sometimes is slow to react but it processes complaints as well. Their network is pretty clean comparing to others given their size.
Sure, but you can´t block microsoft, DigitalOcean or Amazon entire network. We block some /16 or /24 subnets of China and Russia, also AbuseIPDB ips with more than 30 reports of abuse.
Top 100 ASN with largest total ban time (sum of current ban time for all IP addresses within each ASN):
This is a bit more than we have:
What exactly do you report? In our case it is established TCP connections to the honeypots within our network.
Also I would recommend you to not use AbuseIPDB, it is pointless. Better send automated email complaints, most of the time it will work flawlessly (except DigitalOcean, OVH, Scaleway, NForce and a few others).
These blocking will not play any role, because most of the ip are victims of botnets, and in these countries ISPs in the large-scale use of CGNAT, each user in the disconnect and reconnect to its PPPOE will usually be assigned to another outbound, when you block the public ip, often faced with the IPS in the city of all the users can't access your network
So, usually you are blocking the normal customers in these countries.
The attacker just needs to dump the bot and go on with what they're doing.
And this is why you should notify ISP and not report to AbuseIPDB - it is not possible to actively monitor AbuseIPDB, their API lacks support of comments parsing...
Here are my top 10 countries/regions with the most unique source IP addresses from incoming port scans on September 26, 2023:
which system do you use to send the abuse emails?
I have developed golang tool for this purpose
Nice work
While I do get this frustration and understand the activity to report etc., overall I believe this is like tilting at windmills. It would do little to increase security and stop abuse traffic.
Kudos to all of you, keep up the good work, but my personal opinion is that abuse can be blocked more efficiently at the end which I control.
Kind of, it is hard to take down entire botnets or hackers operating from BPH only with abuse reports, however I believe that when handled appropriately by ISPs it can raise awareness of end-users so attackers will spend a bit more resources to do their illicit activity.
I think that maintaining lists of offenders is a good idea because we don't need to raise awareness at the end-user level, but at their ISP's level, people might implement that list of blocks and when there would be tons of complaints x or y destination cant be accessed, a lot of ISPs would try to stay out of those lists by policing their users themselves at a lower cost and increased efficiency.
Reporting the abusers could help, we act on those within 24 hours and we are grateful for the work done, but only full ISP block could change attitudes of others.
China citizens will be unhappy with this XD
https://urlhaus.abuse.ch/statistics/#top_hosters
I believe that would make a little difference since they are blocked at the source to so many places that it doesn't really matter if a few more destinations are added, their internet is already fuck-ed up by the CCP, how much more could it be disrupted?
AFAIK they do still have VPN/Proxies to bypass Great China Firewall and when implementing AS-wide ban we will basically help CCP to conduct their censorship, aren't we?
Yes, any block of Chinese ISPs would help the censorship, but that is valid for any other network blocked, why block so many legitimate ppl for a few bad apples which were probably victims themselves?
Open the taps and let the bytes be free!!! Resistance is futile.
I think the first thing we should do is no-abuse departments' reaction shame list
After reading what you said earlier, I gave it a shot and sent my report about a single DigitalOcean IP as an X-ARF formatted attachment. I got no response at all, and that's a relief. I'm not sure if my attachment is correctly formatted, but at least my email won't be flooded with replies from DigitalOcean if I begin reporting hundreds of IP addresses.
If you have low volume and wish to receive human response - use their abuse form: https://www.digitalocean.com/company/contact/abuse
However when you will try to send too much abuse complaint you will be contacted by a human asking you to send X-ARF to them - and I can understand them somehow because they are very huge provider and for some reasons they already have high amount of questionable traffic, thus is it more favourably to automate abuse complaint handling and not to hire additional technicians.
Amongst big providers there are a few who actually responds to let you know how abuse resolution is going - I can only name AWS and Hetzner.
I filter out all acknowledgment and templated resolution notices by Sieve
Block all of China and all frantech and you'll have an instant improvement.
What tool are you using in the pic?
Kibana to view data from Elasticsearch (I am using it for centralized logs collection)
@tentor you send plain emails or you send X-ARF?
As of now only plaintext unfortunately, proper X-ARF generation requires major changes in how letters are generated, however this is on my roadmap.