New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I have been using it for several months. And I can tell you 1 thing - the way we report - there aren't "false positives". Anything that is reported by us is scanning our entire network. 1000s of IPs a day...
Our reports are weighted "good" so better than a new user, not as good as someone older and mod checked later on to "excellent".
There is NOTHING wrong with AbuseIPDB except the mods are slightly slow to reply. For example we have some IPs listed that were cleaned up, but because when we got the range we did a takedown and automatically removed them all, they need mod approval to takedown again.
The only problem with AbuseIPDB is that it stop spammers and hackers --- which some people who want to spam and hack don't like...
Did I accuse @avsisp for false-positive reports? NEVER. Did I accuse you of not knowing how actually bad moderation (not) works at AbuseIPDB? YES.
well yes my own apartments internet would get terminated if it did it from there D-:
What would need to be moderated is the question?
If new users come and spam your IP with false reports, they will not really count for anything against you. But if an experienced user reports it - it'll count a lot more.
As for removing IPs that have been cleaned up - in my personal experience - it works find as they let you remove them 1 time per month usually without even a mod getting involved.
The only time a mod is needed at all is when you have already removed the IPs once and they get listed again... Then yes - it's a PITA. But that's to be expected with a project like this to be fair...
There are way worse ones. Think about for example blocklist.de which has no way to dispute it or remove it.. is that not worse?
NOT LEGAL ADVICE
Database Directive, as in Directive 96/9/EC, made in 1996? Based on my quick read of the Wikipedia page, it seems to be mostly related to copyright: " It harmonises the treatment of databases under copyright law".
Therefore, this doesn't really apply here. The concept of copyright over internet exposed banners is simply absurd.
The "airline trail" would make sense. That could indeed be copyrighted. Could you give more details about this "airline trail". I think you might be talking about Ryanair's lawsuit, but I'm not quite sure.
Directive 2019/790? That one is also related to copyright.
In this case, yeah, you're right. But who's going to pursue a random guy on the internet for collecting banners? He could also just be collecting the hashes, which wouldn't be PII.
To not set 80% score for an IP that was only found doing ICMP echo-request (that didn't even trigger a single abuse complaint), see https://lowendtalk.com/discussion/comment/4489508/#Comment_4489508
"
Honeypot IP Hit to Unused IP (https://github.com/AVSISP/honeypot) "
im sorry but... this is exactly the problem
It isn't a problem. If you want to probe my entire network without an invitation, you will get reported. It's that simple. You'll also be in a local blocklist with a 24 hour timeout that will block all attempts to entire network for 24 hours.
You know how many carpet-bomb DDoS we got before this? How many port scans? How long my btmp files were? How often we would get WHMCS Tickets spammed to the brim - at one point over 20k tickets over 10 minutes?
And now using AbuseIPDB + our own Honeypot with XDP? Almost 0.
your report has 0 info. that is the problem
https://www.abuseipdb.com/user/157481
its been a long time since i last reported, but this is how useful reports look like...
and this is really the minimum, you can add so much more to reports
Can you tell me how a Cloudflare CDN IP probed your network?
https://www.abuseipdb.com/check/104.25.32.205
Edit: All of your recent reports are related to CF IPs.
You include duplicated and useless info from what I can tell? The time and date of report is the time of attempt using my script - so not needed. The IP is the IP you're looking up - so not needed. The username that they tried doesn't matter - it's from a random list for sure. And the only thing semi-useful there is that it was an SSH port they attempted?
Could have been summed up as "unauthorized SSH attempt" tbh...
Probably someone doing reflections with them or WARP related - seen a LOT of uptick in WARP hacking attempts lately tbh.
Just checked "whatismyipaddress.com/ip/IP_HERE" and found that ALL of them are not even close to server location - so definitely WARP traffic or refection attempts. If it was legit, it would be from same location as the server itself...
Doesn't WARP use IP addresses other than what CF uses for their reverse proxy? Also, why would you report a single TCP SYN-ACK packet (reflection) that could be spoofed?
it does matter, everything matters in an abuse report. the time, the user, the ip. everything.
if i send you an abuse report with 0 logs just saying yeah ip ddosed me you see. are you gonna suspend it? are you even gonna ask?
as i said this is the bare minimum
https://www.abuseipdb.com/user/114807
https://www.abuseipdb.com/user/126710
here two other examples, both include a lot more info, the port scanned even the tcp window because what do you know zmap and masscan actually have hard set tcp windows that you can use to differentiate them
and i stopped that because unfortunately you can spoof any goddamn zmap scan however you want
my honeypots werent perfect, they werent reporting correct data aswell always. and that is exactly why i stopped. because trusting abuse reports like mine or yours that arent my actual threat researchers or known GOOD blocklists is unreliable and will always be. Stop trusting randoms with abuse reports. Also why i pretty much instant after feedback closed off asn.haus aswell.
Even researchers/GOOD blocklists (sometimes) make mistakes, recently got multiple false-positive reports from AWS Shield for a botnet after reported server was taken down they reported same IP again despite the TCP port they reported wasn't open anymore
No - WARP uses ANY Cloudflare IPs. Can be from the proxy range, can be from different ranges. For v6 it is indeed reserved separate blocks. I've got regular Cloudflare IPs listed on their website myself using WARP in Germany in past.
Also - spoofing is more rare than you would think - tbh. Unless someone knows that we are reporting that way, they won't spoof. But the script does need some updating and I haven't had the time to update it. It will eventually keep a count and if it's more than x attempts per x seconds will report. Nothing in this world is perfect. If it works properly 99.99% of time, that 0.01% spoofed that get's accidentally reported is less of an issue. If someone has a complaint, our profile is public and they can reach out and I'll remove the report.
The whole point is the IP that it is on IS NOT A USED IP. It's an IP that is separate from all other IPs and can't be easily mistaken for another IP. It doesn't run any services and outbound traffic from it is blocked entirely, so nothing can be replying to it. If something is trying to access that IP, it's NOT INVITED.
https://www.abuseipdb.com/check/9.9.9.9
Yeah - you'll see a lot of gaps in my reports also where the script has been disabled due to same issue. And I agree - it's unreliable to count on random reports - except if those reports pile up to the point the IP hit's 100% abuse? No chance ALL of those were false.
@aluy, sir, you are wrong, quad 9 definitely monetizes their fancy ip address for scan
He literally just proved my point that AbuseIPDB takes all the steps to ensure false reports don't happen. On the very page he posted...
0% score. Wouldn't be blocked by any filters.
nono, this isnt what i meant. what i meant is the amount of false reports even on THOSE ips EVERY day. and abuseipdb cleans them pretty often. how many do you think are on not so known ips / ranges
It isn't feasible to whitelist anyone suffering from spoofing (which could be literally anyone resulting in 0.0.0.0/0 being whitelisted)
I am sorry if you don't understand basics
How many do you think are real reports because it was used for DNS Amplification and Reflection Attacks? Especially carpet-bombs where someone spoofed the source of requests from ALL of someone's range, and quad9 I KNOW FOR SURE, HAD EXPERIENCE - limits per IP, not per range, allowing carpet bombs to happen?
They aren't false - they aren't spoofed - quad 9 DID attack their IPs.
You seem to misunderstand spoofing. You think random spammers and port scanners are spoofing? Most are using proxies, they are using VPN, they are NOT spoofing. The problem with spoofing is they get no reply. They want a reply, a handshake, etc. The only time Spoofing is used is under DDoS...
@avsisp the problem both I and @aluy are trying to explain is that you have to not report innocent party first of all - if it was abused (dns amplification isn't something you could completely mitigate for a public open resolver such as 1.1.1.1, 8.8.8.8 or 9.9.9.9) you don't contribute anything valuable. Same goes for reporting TCP reflection - literally any TCP service BY DESIGN sends TCP SYN-ACK packet back, there is nothing malice.
no it didnt, quad9 didnt. spoofing isnt a valid report. thats exactly why they get removed by abuseipdb
You are right, I must have miss remembered after some searching I could not find my source for this information.
exactly, what should quad9 do about it. its useless they cant do anything and it woulf spam their report box if you send them an email. the same it spams abuseipdb