What todo when a registrar doe snot respond to babuse form an IP - anti-abuse-wg - mailman.ripe.net

newer
Proposal 2022-01

What todo when a registrar doe snot respond to babuse form an IP

older
Unanimity

Angel P

22 Jun 2022 22 Jun '22

10:39 p.m.

Hello there, I have reported to a registrar an IP that has been doing a bunch of wordpress attacks one one of my sites and also using a fake referrer by impersonating itself a www.bing.com What can be done? Regards

Attachments:

attachment.html (text/html — 330 bytes)

Show replies by date

Hans-Martin Mosner

23 Jun 23 Jun

8 a.m.

Am 22.06.22 um 22:39 schrieb Angel P:

Hello there,

I have reported to a registrar an IP that has been doing a bunch of wordpress attacks one one of my sites and also using a fake referrer by impersonating itself a www.bing.com <http://www.bing.com> What can be done?

Basically nothing (but read on). Registrars happily hide the identity of registrants but disclaim any responsibility for their actions ("it's not us but our customer, but we won't give you the customer's name"). Hosting companies, which would normally be the correct abuse contact for those IPs, happily hide the identity of their customers but disclaim any responsibility for their actions ("it's not us but our customer, but we won't give you the customer's name"). They may provide you with a way to contact their customer through some forwarding mechanism, but when the customer is itself the abuser, that would mean they expose your identity to the abuser without exposing the abuser's identity to you. In real-life abuse situations it has long be established that this is an absolute no-no, but registry and hosting service providers get away with it. The attacks are probably too easy to defend against, so there's no incentive for law enforcement to follow through with your issue, which would otherwise be a way to subpoena the contact information. However, even if they did that, the information would likely be worthless, as abusers can register with fake ID easily. What you *can* do is protect yourself and don't rely on other's assistance. Block IP space if you experience abuse from there. Install wordpress plugins to detect and reject attacks. There are some ways to report abusive IPs to the public (https://abuseipdb.com comes to mind, but there are others) but these probably have little effect beyond documenting that a problem is seen by more than one reporter. Cheers, Hans-Martin (I've responded to the mailing list although this isn't really an abuse reporting help forum but to reinforce the POV that the refusal to require accurate identity and contact information about internet resource owners is a major reason that internet abuse is so hard to fight).

Jeroen Massar

9:24 a.m.

On 23 Jun 2022, at 08:00, Hans-Martin Mosner via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:

[..]

What you *can* do is protect yourself and don't rely on other's assistance. Block IP space if you experience abuse from there.

This. Use block lists like https://www.spamhaus.org/xbl/ to make your life a bit easier; but, do not outright block, use them ala Spamassassin as one of many inputs to rank if an IP is likely to be good or bad. For Tor, there is https://check.torproject.org/api/bulk ; though in the end Tor is just noise; compromised hosts are a bigger issue. For Internet, there is a very harsh: https://www.spamhaus.org/drop/ (you might also accidentally possibly block good people using those ISPs) Whatever list you use, be it those from Spamhaus or other providers, do verify what you block and maybe whitelist what you never want to block. Making a baseline of "normal clients" can also be useful: eg, no sense in processing packets from a IP in Antartica when you normally do not get traffic from there. Your Network, Your Policy... but also your pain when a user gets accidentally blocked... Whois info is mostly useless, as fake data is there. Hence, having "this is anonymous user" info in Whois is futile, just let those orgs opt out of providing data altogether. As then, we have mostly left information from entities that do want to be contacted and likely want to re-act to problems. Which means that whois becomes a bit more useful, as there is a much higher chance that one can reach somebody who will act. And also, one could then easily build a nice list of ISPs that do not provide contactable & re-active abuse departments, and rank those as 'likely useless, maybe hostile, possibly criminal' and when shit hits the fan (DDoS, or other abuse) through those in the bit bucket. A multi-class Internet will exist (currently already with ASNs that are being blacklisted due to abuse or heck darknets), but will also exist in the long run. A "Clean We-know the other party" Internet is coming... sooner or later (and will likely be very very commercial). And that will involve that people properly deal with abuse. But to get there we need automation and contactability and accountability.... and from a freedom perspective and that one sometimes want to be anonymous, that is not going to happen easily; neither getting rid of junk data in Whois... (too many parties who have an interest of doing abuse unfortunately, some because it supports their business case of providing the protection services that are now needed...) Internet... a fun beast -- I would love the Internet to be a bit more open, but unfortunately bad parties and commercialisation does not allow that. Fortunately there are movements like Tor, Freifunk and https://DN42.dev that provide alternative Internet methods. All of them run into similar scaling problems and... who pays for it though. (Internet should just have been a commodity provided freely by states, but alas... too late) Greets, Jeroen

Hank Nussbacher

11:30 a.m.

On 23/06/2022 10:24, Jeroen Massar via anti-abuse-wg wrote:

Use block lists like https://www.spamhaus.org/xbl/ to make your life a bit easier; but, do not outright block, use them ala Spamassassin as one of many inputs to rank if an IP is likely to be good or bad.

For Tor, there is https://check.torproject.org/api/bulk ; though in the end Tor is just noise; compromised hosts are a bigger issue. For Internet, there is a very harsh: https://www.spamhaus.org/drop/ (you might also accidentally possibly block good people using those ISPs)

Whatever list you use, be it those from Spamhaus or other providers, do verify what you block and maybe whitelist what you never want to block. Making a baseline of "normal clients" can also be useful: eg, no sense in processing packets from a IP in Antartica when you normally do not get traffic from there. Your Network, Your Policy... but also your pain when a user gets accidentally blocked...

If you raised the issue, what do others think of https://www.crowdsec.net/ Thanks, Hank

819

Age (days ago)

820

Last active (days ago)

Download

3 comments

4 participants

tags

participants (4)

Angel P
Hank Nussbacher
Hans-Martin Mosner
Jeroen Massar