On 10/23/2016 4:19 PM, Ronald F. Guilmette wrote:
... I've recorded
about 2.4 million IP addresses involved in the last two months (a number
that is higher than the number of actual devices, since most seem to
have dynamic IP addresses). The ISPs behind those IP addresses have
received notifications via email...
Just curious... How well is that working out?
For the IoT botnets, most of the emails are ignored or rejected, because
most go to providers who either quietly bitbucket them or flat-out
reject all abuse emails. Most emails sent to mainland China, for
instance, are in that category (Hong Kong ISPs are somewhat better).
For other botnets, such as those using compromised webservers running
outdated phpMyAdmin installs at random hosts, harnessing spun-up
services at reputable VPS providers (Amazon, Microsoft, Rackspace,
etc.), or harnessing devices at large and small US and Canadian ISPs, we
have had better luck. Usually, we don't hear a response back, but those
emails are often forwarded to the end-user, who takes action (and may
ask us for help, which is how we know they are being forwarded). The
fixes can enough to reduce attack volumes to more manageable levels.
Kudos go out to the large and small ISPs and NSPs who have started
policing SSDP and other reflection traffic, which we also send out some
notifications for. In some cases, it may be that our emails spurred them
to notice how much damage those attacks were doing and how much it was
costing them to carry the attack traffic.
I've tried this myself a few times in the past, when I've found things
that appear to be seriously compromised, and for my extensive trouble
I've mostly received back utter silence and no action. I remember that
after properly notifying security@ some large end-luser cable network
in the SouthEast (which shall remain nameless) I got back something
along the lines of "Thank you. We'll look into it." and was disgusted
to find, two months later, that the boxes in question were still utterly
pwned and in the exact same state they were two months prior, when I
had first reported them.
We do get our share of that, as well, unfortunately, along with our
share of people who send angry responses calling the notifications spam
(I disagree with them that sending a legitimate abuse notification to a
publicly-posted, designated abuse account should be considered spam) or
who flame us for acting like "internet police". But, we persist. Some
people change their minds after receiving multiple notifications or
after we explain that DoS traffic costs them money and hurts their
customers, who will be experiencing degraded service and may silently
switch providers over it.
I guess that's just an example of what somebody else already noted here,
i.e. that providers don't care to spend the time and/or effort and/or
money necessary to actually -do- anything about compromised boxes, and
anyway, they don't want to lose a paying customer.
So, you know, let's just say for the sake of argument that right now,
today, I know about a botnet consiting of a quarter million popped
boxes, and that I have in-hand all of the relevant IPs, and that I
have no trouble finding contact email addresses for all of the relevant
ASNs. So then what?
I use scripts to send out an abuse notification to some percentage of
the compromised hosts -- the ones sending some significant amount of the
traffic. The notification includes a description of what we saw and
timestamped example attack traffic, as interpreted by tcpdump. If
further traffic is seen later from the same host, another notification
will be sent, after a cool-off period.
The emails are plain text and we don't try to use them as advertisement.
We also don't force a link to be clicked to see more details or to
respond back. I don't like to receive such emails myself and have found
that those types are more likely to be ignored.
The question is: Why should I waste my time informing all, or even any
of these ASNs about the popped boxes on their networks when (a) I am
not their customer... as many of them have been only too happy to
gleefully inform me in the past... and when (b) the vast majority
simply won't do anything with the information?
I'm not saying that everyone should send abuse notifications like we do,
since it can be a big task. But, in response to someone wondering if
their network is being used for attacks, or asking how they could help
to police their own network, I am saying that making sure that inbound
abuse notifications are arriving at the right place and being handled
appropriately is important.
And while we are on the subject, I just have to bring up one of my
biggest pet peeves. Why is it that every time some public-spirited
altrusitc well-meaning citizen such as myself reports any kind of a
problem to any kind of a company on the Internet, the report itself
gets immediately labeled and categorized as a "complaint". If I spend
some of -my- valuable time to helpfully try to let somebody else know
of a problem on their network, or with their web site, and if that
report gets categorized as a "complaint" then what does that make me?
A "complainer"??
I don't need this kind of abuse and denegration from people who I'm
trying to help. Like most other people, if I am in need of some
personal denegration and abuse... well... I have relatives for that.
There's a spectrum of people responding to these and some percentage are
just jerks, as in real life. But, I like to think that the majority of
at least NA providers are represented by professionals who just don't
respond out of courtesy because they don't want to flood our inboxes
with simple acknowledgements.
Those of us experiencing these attacks appreciate the community support,
both from people like you who also send notifications and those who
handle the notifications on the receiving end.
-John
