A plea to ignore abuse reports from "watchdogcyberdefense.com"
Hi nanog, Some of you might have seen https://delroth.net/posts/spoofed-mass-scan-abuse/ circulating last week (it was also sent here in reply to someone who received abuse complaints from their ISP). The TL;DR is that some previously unknown company with a fancy looking domain name has started noticing the background noise on the internet and is sending automated abuse complaints to any owner of a source IP sending a SYN packet to port 22 on their network. They're not doing any filtering to try to prevent spoofed source addresses, and at this point there's plenty of evidence that they are seeing mostly spoofed src IPs, then sending abuse reports to a completely uninvolved owner of the IP. I've recently been in communication with that company. They sent me an email trying to get "advice" from me about how to not send abuse complaints to the whole internet, while ignoring the obvious answer of "don't mass send automated abuse complaints based on no evidence of abuse and no evidence of who sent you traffic". They're also making wild claims in their email to me, like, I quote, seeing "1.3 billion attacks logged in the past 24 hours". They're saying that they act on data sources like "we query the VirusTotal API for the source IP and it shows us it's infected with malware". If you're a NOC or someone handling abuse complaints for an ISP or a hosting provider, this is my plea to you: please send abuse reports from "watchdogcyberdefense.com" to your spam box until they understand 1. that a TCP SYN packet is spoofable; 2. that they're harming the internet through reducing trust in abuse complaints by sending so many false positives. I've myself had interactions with both Hetzner and Linode's abuse team, both of them have been top notch and understood what they're likely dealing with, but having to explain to every single ISP what's going on while sitting in the equivalent of an interrogation room threatened with a service suspension isn't a very comfortable situation. Thank you in advance, Best, -- Pierre Bourdon <delroth@gmail.com> Software Engineer @ Zürich, Switzerland https://delroth.net/
Hetzner's automated abuse system is just as terrible. I did a write up on it a couple years ago, when it was being sold as a DoS method on certain nefarious forums, the malicious actor repeatedly spoofs your IP/ranges toward Hetzner ranges, generating abuse reports to your ISP, until your ISP nullroutes/suspends. We immediately bin anything that hits our abuse mailbox from Hetzner since then, because it got to the point that daily we were receiving obviously spoofed logs of UDP traffic. I tried to climb the ladder of bureaucracy at Hetzner, the highest point I was able to reach was a "senior network engineer," who told me to disable spoofing on my network, but could not comprehend that disabling spoofing on my network does not prevent other networks from spoofing our IPs.
There are tons of networks out there that will automatically send an email to abuse records in whois based on fairly braindead criteria. Sadly, this has resulted in abuse contacts being increasingly useless since large hosting providers get such a flood of garbage that they can't actually look into it. Even better, most of the networks sending this garbage can't be bothered to respond when you ask for more information, making it pretty clear they don't actually care about the abuse they're supposedly notifying you of. Over the years I've started routing any abuse emails from networks who don't bother to respond to requests for further info to /dev/null. It has basically removed all the garbage and leaves an abuse contact that can actually handle real abuse reports. Matt On 11/4/24 8:01 PM, Pierre Bourdon wrote:
Hi nanog,
Some of you might have seen https://delroth.net/posts/spoofed-mass-scan-abuse/ circulating last week (it was also sent here in reply to someone who received abuse complaints from their ISP).
The TL;DR is that some previously unknown company with a fancy looking domain name has started noticing the background noise on the internet and is sending automated abuse complaints to any owner of a source IP sending a SYN packet to port 22 on their network. They're not doing any filtering to try to prevent spoofed source addresses, and at this point there's plenty of evidence that they are seeing mostly spoofed src IPs, then sending abuse reports to a completely uninvolved owner of the IP.
I've recently been in communication with that company. They sent me an email trying to get "advice" from me about how to not send abuse complaints to the whole internet, while ignoring the obvious answer of "don't mass send automated abuse complaints based on no evidence of abuse and no evidence of who sent you traffic". They're also making wild claims in their email to me, like, I quote, seeing "1.3 billion attacks logged in the past 24 hours". They're saying that they act on data sources like "we query the VirusTotal API for the source IP and it shows us it's infected with malware".
If you're a NOC or someone handling abuse complaints for an ISP or a hosting provider, this is my plea to you: please send abuse reports from "watchdogcyberdefense.com" to your spam box until they understand 1. that a TCP SYN packet is spoofable; 2. that they're harming the internet through reducing trust in abuse complaints by sending so many false positives.
I've myself had interactions with both Hetzner and Linode's abuse team, both of them have been top notch and understood what they're likely dealing with, but having to explain to every single ISP what's going on while sitting in the equivalent of an interrogation room threatened with a service suspension isn't a very comfortable situation.
Thank you in advance, Best,
We got two of these yesterday for addresses that are not ours. One was sort of adjacent... and seemed plausibly fat-fingered. 204.144.161.0 ≠ 204.144.151.0 We will definitely filter out anything further. Thanks for the heads-up.
So, who here remembers "BlackICE Defender"? It was MS Windows software which would watch for and protect against "attacks", draw pretty charts and graphs, and also "report the attack to the attackers ISP". They did improve slightly over time, but things which it initially viewed as an attack were nefarious things like "you sent me an ICMP echo-request"... W On Tue, Nov 5 2024 at 10:21 PM, Mike Lewinski <nanog@nanog.org> wrote:
We got two of these yesterday for addresses that are not ours. One was sort of adjacent... and seemed plausibly fat-fingered.
204.144.161.0 ≠ 204.144.151.0
We will definitely filter out anything further. Thanks for the heads-up.
Aww BlackICE. I was talking to Robert not too long ago about this. A simpler time.
On Nov 6, 2024, at 11:01, Warren Kumari <warren@kumari.net> wrote:
So, who here remembers "BlackICE Defender"?
It was MS Windows software which would watch for and protect against "attacks", draw pretty charts and graphs, and also "report the attack to the attackers ISP".
They did improve slightly over time, but things which it initially viewed as an attack were nefarious things like "you sent me an ICMP echo-request"...
W
On Tue, Nov 5 2024 at 10:21 PM, Mike Lewinski <nanog@nanog.org <mailto:nanog@nanog.org>> wrote:
We got two of these yesterday for addresses that are not ours. One was sort of adjacent... and seemed plausibly fat-fingered.
204.144.161.0 ≠ 204.144.151.0
We will definitely filter out anything further. Thanks for the heads-up.
On 06/11/2024 10:01 a.m., Warren Kumari wrote:
So, who here remembers "BlackICE Defender"?
It was MS Windows software which would watch for and protect against "attacks", draw pretty charts and graphs, and also "report the attack to the attackers ISP".
They did improve slightly over time, but things which it initially viewed as an attack were nefarious things like "you sent me an ICMP echo-request"...
If someone sent a ping to one of my Windows machines it wouldn't even be seen by Windows because each machine is behind it's own separate hardware firewall that would receive and respond to the ping. (I leave WAN ping enabled on the firewalls because I know it's helpful to other internet users to test their connection.) Of course I wouldn't buy junk software like that... I can see where in a corporate environment someone might buy and install it because it checks a box on their "security checklist" or maybe an individual that doesn't understand computers very well buying anything marketed as protecting their computer even though they really have no idea what it's doing. (I do wonder how many people have gotten computer viruses from malware they downloaded that was masquerading as "security software".) I do have to wonder how often some company installed it across their whole corporate network and when one of their machines pinged another one of their machines inside their network (using RFC 1918 address space) BlackIce Defender on the machine receiving the ping would send an abuse report to abuse@iana.org. ^_^ -- Glen A. Pearce gap@ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17
participants (7)
-
Calvin Judy
-
Glen A. Pearce
-
joel@joelesler.net
-
Matt Corallo
-
Mike Lewinski
-
Pierre Bourdon
-
Warren Kumari