It's not a new vector, but it's not super common either. I wrote about it back in August of 2022, Hetzner's automated abuse system was being used as a denial of service vector, as the malicious actor just spoofed the victim IP(s) toward their network, and the abuse reports were automatically sent to the victim's ISP. Enough reports and a lot of providers will nullroute the IP address.
I remember while delving into it there was some posts offering this exact service on various "hacking forums." I reached out to Hetzner multiple times, the highest point of contact I could reach was a "*senior network engineer*" who told me to disable spoofing on my network. Which of course, it already was, and that doesn't stop other networks from spoofing our ranges.. But I couldn't ever get them to grasp the idea, to this day Hetzner abuse reports get immediately binned on our side. On Thu, Dec 19, 2024, at 2:02 PM, na...@immibis.com wrote: > There was also the attack on the Tor network a few months ago. > > In that case I spoke to the "security" company that was sending the abuse > notices to my provider - and they confirmed that they know the notices are > bullshit, they acknowledge that if they cause financial losses I might be > able to win damages in a lawsuit, and they will continue sending them anyway > because they don't care to update their policies. > > Has this sort of thing always been a problem on the internet or is it a new > attack vector? > > > On 18 December 2024 6:40:54 pm GMT+01:00, "Dan Mahoney (Gushi)" > <d...@prime.gushi.org> wrote: >> On Wed, 18 Dec 2024, Dan Mahoney wrote: >>> Hey there, >>> >>> Dayjob recently got a report from complia...@tucows.com alleging that an >>> old, historic bind9.tar.gz.asc (a plain-text checksum file) on ftp.isc.org >>> is malware. It’s not. It’s a false positive. >>> >>> Additionally, the URL they sent to vew the reporting material is http-only, >>> and does not work, but it’s not hosted by tucows/hover, it’s hosted at >>> http://url4091.abuse-report.pir.org, is http-only (what year is it?) and >>> doesn’t work! Nor does that report actually come out and say what the file >>> in question is, it’s only shown in an attached screenshot. >>> >>> Given what recently happened to another important internet domain (one of >>> our IP providers) being put on administrative hold due to basically one >>> complaint of fraud, I am incredibly concerned. >>> >>> I’ve been in touch with the registrar that holds our domain name about this >>> (Hover/Tucows), and I’ve got a direct line with the CTO, but I need >>> assurances that this will not lead to obnoxious actions, a week before >>> Christmas. >>> >>> -Dan >>> (From personal address, but with very much DayJob hat on) >> >> Whoops, helps to add: >> >> email dmahoney at isc org (but cc ray@) >> phone 703-DEV-24x7 (txt/imessage, but identify yourself in the first volley) >> >> -Dan
