New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Its a new form of DDoS really..
If you grab a free hosting template, and make some nice email like [email protected] or [email protected] and copy some crap from ur router log and edit the IPs while claiming its port scanning or DDoS attacking, you'd be surprised how easily it passes through lvl 1 support and gets the victim suspended.
Even if he can prove its fake, the downtime already lasted longer than any viable DDoS attack.
Unfortunately, I don't believe there's any reprieve for anyone caught in false abuse reports. Unlike DMCA requests, those who submit abuse requests are not under penalty of perjury and can usually do so anonymously, so there's very little to stop people from doing this.
That's something I'd like to change except in certain cases where an anonymous report should be allowed (e.g. abuse of minors, for example -- whistleblowers for this kind of thing should be kept confidential instead of being handed over to a potentially dangerous person).
I do think that cases of spam and network abuse however should have a framework for handling abusive reports and more stringent checking of abuse reports.
Sorting stuff like this out involves human work, Hetzners concept is to involve less human work to keep the price low. If you need a host that offers this kind of support, try smaller companies.
Leaseweb for example doesnt take you down on invalid abusemails.
Ironically ~10 years ago before X4B was even named this was why I first got involved in "Reverse Proxying". Good to see Hetzer is nothing if not consistent.
Hi there, if you already have an abuse ID for this case, would you please sent it to me. That way i can take a look at your case. If you don´t have a case yet, please fill out this quick form. https://abuse.hetzner.com/issues/new?lang=en --Helena
Yes fake abuse reports work better than DDoS, almost with any provider, it's a fact.
there is a way. You can only send abuse mails for IPs you own, so your abuse mails have to be signed by the same key like your BGP announcements with RPKI. A ISP gets from a entity many fake abuse and rejects from there on every abuse claims from that entity because it is not trustworthy anymore.
What? No key or owned IP's are needed to send an abuse report. I don't know what you're talking about.
When I was testing IP Ban Pro beta that sent automatic abuse reports, Hetzner's reply said it needed additional information to take action (I think it was just a timestamp or something). They obviously have minimum criteria to take action.
@Hetzner_OL
Can you help to understand 68385E?
The situation is, I use Hetzner for testing and training. About 15-20 VMs I created for range of 2-5 days for students to use for big data programming.
I see two incidents related to servers, which I am completely have no idea what that means, I got to know that there is netscans, but our employees not installed any such softwares, passwords are fine with Capital + @ and numebrs, at least not possible to guess or for dictionary attack.
I am still wondering how netscans came, if the servers compromised or not. I will try to see possible solutions to ensure that this will not repeat. Any advise will help us.
I'm curious. When you got an abuse report, how can you be sure that it is "fake?" According to IBM security's report, "2019 Cost of a Data Breach Report," The average time to identify a data breach in 2019 was 206 days. So it is no simple task to detect a cybersecurity incident.
At minimum you can verify the connection at least took place with your own flow records.
Yes, that should be quite accurate if the flow records are generated external to the reported host and not of a sampling nature. But it's hard for someone using a VPS to keep that kind of flow records.
What a garbage support , a kid sends a fake abuses and they simply do not care if its legitimate or not , they simply say please leave LOL .
Please remove "xxxxx" from our network within the next 24 hours.
And that is the change that will eliminate fake abuse mails, you don't own the IP space that got attacked you can't send abuse emails. Problem solved.
We also receive fake abuse complaints everyday
Do you even know who owns your address space? Half my providers lease and some own. If they now have to be part of your defense system, the price of IP's will sky rocket. This is the kind of thinking I'd only expect from a government worker.
Nothing stops a person from having a legit domain and IP and still sending false abuse reports. Your suggestion doesn't solve a problem, just adds more.
Dude you don't understand. With that approach a legit domain and IP don't legitimate YOU to send abuse mails, since you don't have the key to sign the mails whoever will be the receiver of your mail will bounce them. If you are customer of e.g. Hetzner, Hetzner would be able to send abuse mails, you are not.
Do you understand now?
No. What fucking key are you talking about?
You are suggesting a system where only the sender is verified, not whether the abuse complaint is valid. Does not solve any problem and adds more problems.
Maybe someone can clarify with different English?
Your proposed solution will be problematic because Hetzner can't reliably determine the accurate source IP of cyberattacks like port scanning.
Even if Hetzner owns the IP blocks, they are not the real user. The most they can do is monitor network packets. Think about this. A hacker sent lots of TCP SYNC packets with your IP as the source IP to Hetzner's network. To filter those forged packets, TCP's 3-way handshake should be used, but only the real IP user can do that, Hetzner can not. So Hetzner will notify your ISP that you were scanning their networks.
Network abuse reports should be sent by real IP users. But forged source IPs need to be eliminated first by TCP's 3-way handshake.
He atleast got reports for his IP. But today hetzner sent me a report for an website hosted on a IP that even doesn't belong to my account -_-
It is a daily task to reply on abuse complains. It takes also alot of time. Also if you get one you dont get just one but a shitload of them.
@Hetzner_OL
Since this is a real issue im facing as well with my gameservices.. Im gonna do an experiment later on this summer.
I will setup a legit looking basic wordpress site with other pages full of lorem ipsum in case hetzner actually bothers to look up the domain.
I will then grab some garbage router logs from 2014 and edit it a little.
Sample:
I will then edit those IPs to my own Hetzner server which is 100% innocent. and I will document the downtime amount with Hetrixtools monitor to see how long it takes for Hetzner to reactivate it compared to normal downtime due to DDoS.
It will be an interesting test to see how hetzner abuse department reacts to it.
I will be sending the email from semi-legit sounding address, so no gmail or hotmail.
At worst my own server/account gets suspended due to this "legitmate source outsider email".
Ping me when you get a result please. I want to know how bad it is
I can see it now...
"Why use expensive DDoS attacks when we can take a site down for 3 days or forever. Choose from our 2 packages:"
1) Full Body Massage - $150:
- Our template will be quickly uploaded for the country of your intended victim to send doctored router logs with edited IPs to claim you victim's IP was port scanning from [email protected] (fictitious hosting company).
- Day 2, rinse and repeat, a DDoS attack will be reported from your victims IP address from [email protected] (fictitious ISP).
or
2) Happy Ending - $6,000:
- We have Alphabet Intelligence Agency domains & templates ready to go for most nations. Your victim's provider will receive realistic ch'ld-p'rn abuse reports with server seizure notices. The following day our crack-ops team shows up at your victim's datacenter in full Intelligence gear with replica badges & warrants to seize your victim's servers. Using threats of jail-time, datacenter administration will be quickly intimated into compliance. Before security has time to verify those warrants, those servers are long gone and your problems are solved.
Last I checked, impersonating LEOs is a serious crime in most places, so maybe add another 0 at the end of your "Happy Ending" package and we'll see. Leasing an IPv4 range is $85/mo from what I gathered in the LIR thread here, so your other package is profitable.
I think that bottom one is overkill and unrealistic. a normal kid can get away with legit sounding email and fake logs at best anyway.. A fake website is a bonus for the "abuse scam".
And that's literally what they are doing with Hetzner since they are notorious for their super unforgiving abuse policies, so its easy for them to take advantage of it.
hahaha i lol'd so hard.
It reminds me of some cases.
Dej Solutions (https://dej.ai/) - a fake canada company - was threatening to get our Paypal and Bank accounts suspended before. They have contacts at PayPal. Of course lol
The guy running it calls himself Max Z. but we have made investigations and found He is an Iranian guy named Behnam K.
He leaves in Estonia, Tallin
He has never been to Canada in his life and certainly has no company there. All fake
Its a big fake involved in a big Iran Piracy movie site
And yes, they are also working with the FBI.
Many other threats.
Maybe you want to add PayPal suspension service.
If you ask them for documents, court order etc etc etc. Anything. They will try further manipulate you instead of providing anything.
Best practice is: NEVER REPLY.
Be careful with Hetzner. Their investigation are very low level. They just charge the client. (From my experience with them)
I feel you, my account has been marked for deletion on may 31st just because a domain I do not own were pointing to my servers. I asked explanations regarding that, the bullshit abuse department just aswered: remove that domain from our ips.
How can I remove something isnt mine you ass*oles ?
I asked to change IP's of my servers, No answer. Great Job!
Meanwhile, my servers into my account have all IP's locked.
And they still want me to pay for the invoice of 6 locked servers until they are gone.
Hell no!