New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
and please dont block an ip on spoof possibility. imagine you block an upstream ip and 10% of your infra go down
That IP (9.9.9.9) DID carpet-bomb their entire network. NOT someone spoofing to be 9.9.9.9. That's not how a DDoS works. The attacker spoofed requests from the entire range of victim to 9.9.9.9 - 9.9.9.9 in turn replied with HUGE amounts of data... 9.9.9.9 needs to filter properly for that not to happen(reply length limits, timeouts, limits per range, etc). You'll see a LOT less reports on Cloudflare 1.1.1.1.1 - because they actively prevent their servers being used for reflection attacks.
quad9 is not vulnerable to dns reflection attacks.
What do you base this on? isn't the whole point with spoofing the IP would be that the destination does not know that it is being spoofed and sends a response to another host?
And I understand that - but it DOES NOT make AbuseIPDB bad. They do everything they can to prevent false-positives. The results are heavily leaning towards innocence. There are IPs that I KNOW for sure have 20% score with 50+ reports over an hour and that HAVE INDEED spammed my WHMCS Ticket system. And they are not blocked by anyone - because most people that use it only block for 100% abuse factor.
The last 3 carpet bombs that hit us were using 9.9.9.9 as part of their attacks -- so WRONG - 100% personal experience here.
send an email out to the host and report it with valid logs to abuseipdb
please. this is major dns provider you are accusing here
They don't punish reporters who report single TCP SYN packets since years, so I don't agree with you AT ALL.
Please compare AbuseIPDB database with CrowdSec community blacklist and reconsider.
At this point I will leave this discussion, as you seem to be too stubborn to critically think about what others say to you.
Why to punish the reporters if the reported IPs don't get any trouble for it? If they aren't REPEATEDLY doing it -their one attempt doesn't raise their score any. And again, I understand where you are coming from - I've disabled the script myself for now until I make some changes - but - AbuseIPDB is one of the safest blocklists to use with 100% rating filter... I have never had someone complain they cannot connect to something or got blocked because of it..
Less then a year ago Tor nodes were being spoofed en-mass (guard and entry nodes included which usually do not see the kind of abuse complaints that exit nodes get) due to this the Tor network was weakened due to suspension because of false claims of abuse due to this actor spoofing IPs.
Yes - DNS provider - aka vulnerable to reflection attacks.
And some more so than others. In any DNS Reflection attack, 9.9.9.9 tends to come up a lot in list of IPs - 1.1.1.1 not so much. Just points to they could adjust some of their filters.
Sounds like a very rare event. And sounds like AbuseIPDB should whitelist Tor nodes tbh.
Not really. MaxMind has a good list of WARP IPs, since they used to be partners (idk if they do any longer)
If the IP in the demo is marked as Cloudflare WARP and is ISP, that is a WARP IP. If not, it's not.
Cloudflare uses very small ranges for their WARP locations (in big countries they use 2-3 IPs per major city). So they maybe have a handful of /24s for that purpose that they just announce globally and route properly per PoP.
AbuseIPDB seems to do the same.
Nice discussion about how avsisp is even more dumb than aluy is. Btw love that spoofing is super rare but it cost me 3 euros to spoof and troll the shit out of avsisp.
Also recent DDoS attacks have been > 6Tbps from what I remember where 80% or 90% is spoofed traffic and only 10% or so is actual non spoofed non amp'ed traffic.
do you have your own IP? shodan can get away with it (seen them in my dns server, maltrail, crowdsec) so i'm sure you also can do it too
the bare minimum probably like:
internet is build on trust, don't be an asshoe and you'll be fine
Please don't confuse ICMP requests with fingerprinting. That's the difference from someone shouting "anyone home?" from the street and someone going around recording your door and window status. That ain't your fucking business unless invited.
gravhosting.com
dmzhost.co
I haven't used them, but I remember they allow port scanning.
IPVolume should also work, Censys or Shodan are using it.
Yeah I don't think so too. Once I tried smaller scan if there is NTP server running or not, it's a single small UDP packet, nothing special, no personal information to gather, nothing to gain access.
What did I find? That AbuseIPDB users are incompetent and have misconfigured reporting. There was couple reports like "Port probe: TCP/123", "Failed Attempt to Connect to and access Firewall", or meaningless "Honeypot hit.". One user submitted multiple reports spaced by whole amounts of hours but at least they got the udp port right. The reported categories were mostly wrong too, with "Hacking", "Exploited Host", "Brute-Force", less than half got it right with reporting "Port scan".
Unfortunately, this doesn't work like so. You can't even know if sent ICMP echo-request had spoofed source IP address or not, same goes for any report based upon single packet without any challenge (like TCP handshake for example).
Thanks for clarifying it was indeed you the just did that crap and got my subnet listed. I'm pretty sure LET doesn't endorse DDoS nor attacks to hosts...
Because you paid something to spoof IPs doesn't mean the system is broken. It means you're a dick. Period.
And I'll send you message now to AbuseIPDB who will obviously delete the false reports -- see how moderation works?
It wasn't me you dumbfuck.
Yes it exactly means the system is broken, but youre to dumb to notice.
Got any proof all of them are false reports? Maybe some IPs did some nasty stuff...
https://www.abuseipdb.com/check/31.57.56.4
Why did you report your own IP, youre hosting a super dangerous machine on your network or what? abuseipdb works so great.
1) You just said you paid 3$ to annoy me - and spoof my IPs - so yes you did. You DDoS people known to report automatically to AbuseIPDB to try to prove your point. But you didn't prove anything except that you can Spoof IPs - which is well know. That isn't the problem or even being questioned here. What was being questioned is whether or not AbuseIPDB is good or bad. My argument is they try to be good - to moderate, etc. Other's argue the system is broken. That is not a way to prove your point. Now I see why you got all your "temp bans" - I really hope that using a hosts IPs to DDoS someone else is seen as a good enough reason to perm-ban.
2) Yeah - I got proof. I sent them the link to YOUR ADMISSION here.
3) Most of those IPs AREN'T EVEN IN USE - so easy for AbuseIPDB to verify that.
Ah to bad, I lied to you and you took the bait. Everyone on LET knows I am a troll except you I guess.
The proof is in the pudding as we say... My entire subnet was indeed spoofed. Right before you posted your comment claiming responsibility for it. And considering it was half a subnet and 3 complaints each, that's about 3$ worth of spoof. So it definitely wasn't a bluff or trolling. You did exactly what you claim you did.
When I shutdown the script, it reported itself weirdly. Not an issue as I self-remove it. Which I just did. I check my subnet daily... And act on abuse reports... Like a responsible host should. So if something like that happens, I fix it rather quickly. It isn't an IP used by clients, as a matter of fact, it isn't even mounted at all - so it's fine - doesn't harm anyone. But again - the script has been stopped and isn't in use at the moment until I have time to re-work it.
Because trolling is fun and I can see whats going on on abuseipdb, pretty easy to make the link between spoofing and you getting trolled by someone.
You're just pulling numbers out of your ass, you don't pay a dollar per spoof, you just get a VPS for $5/m on a network that doesn't block spoofing and can spoof however long you want. I have no idea where to find those VPS providers but I wanted to make a joke about using ihostart, but I think even he blocks spoofing.
Wrong again stalker child. I am in your head rent free.
Maybe because its broken as hell and reports way to much bullshit xdddd.
GravHosting allows port scanning in Amsterdam and Johor.