How to get the whole planet to send abuse complaints to your best friends

543 点作者 scd317 个月前

18 条评论

ziddoap7 个月前

This type of issue can be incredibly annoying to deal with, because the legitimate answer to the abuse report ("someone is spoofing my IP, it isn't me, and the machine is not compromised") is the exact same excuse that a malicious actor would provide.Then, as noted in the article, you're trying to prove a negative to someone who doesn't really care at all, which is borderline impossible.

评论 #41985075 未加载

评论 #41984388 未加载

mrbluecoat7 个月前

> The internet was broken 25 years ago and is still broken 25 years later. Spoofed source IP addresses should not still be a problem in 2024, but the larger internet community seems completely unwilling to enforce any kind of rules or baseline security that would make the internet safer for everyone.Same with spoofed MAC addresses, email addresses, ARP messages, Neighbor Discovery, MitM TLS certificates ... It's amazing anything works anymore :D

评论 #41985529 未加载

评论 #41991444 未加载

评论 #42032642 未加载

评论 #41989191 未加载

评论 #41993145 未加载

评论 #41985333 未加载

Rasbora7 个月前

Back in the day I would scan for DrDoS reflectors in a similar way, no hosting provider wants to get reports for port scanning so the source address of the scan would belong to an innocent cloud provider with a reputable IP that reflectors would happily send UDP replies to. The cloud provider would of course get a massive influx of complaints but you would just say that you aren't doing any scanning from your server (which they would verify) and they wouldn't shut your service off. The server sending out the spoofed scan packets is undetectable so you're able to scan the entire internet repeatedly without the typical abuse issues that come with it.I'm not sure how often this happens in practice but tracing the source of a spoofed packet is possible if you can coordinate with transit providers to follow the hops back to the source. One time JPMorgan worked with Cogent to tell us to stop sending packets with their IP addresses (Cogent is one of the most spoofer friendly tier 1's on the internet btw).This is the first time I've heard of this being used to target TOR specifically which seems counterintuitive, you would think people sending out spoofed packets would be advocates of TOR. Probably just a troll, luckily providers that host TOR won't care about this type of thing.

评论 #41988438 未加载

Habgdnv7 个月前

This is nothing new. A few years back, I implemented a very basic firewall rule: if I received a TCP packet with SYN=1 and ACK=0 to destination port 22, the source IP would get blacklisted for a day. But then I started getting complaints about certain sites and services not working. It turned out that every few days, I'd receive such packets from IPs like 8.8.8.8 or 1.1.1.1, as well as from Steam, Roblox, Microsoft, and all kinds of popular servers—Facebook, Instagram, and various chat services. Of course, these were all spoofed packets, which eventually led me to adjust my firewall rules to require a bit more validation.So, I can assure you this is quite common. As a personal note, I know I’m a bit of an exception for operating multiple IP addresses, but I need the flexibility to send packets with any of my source addresses through any of my ISPs. That’s critical for me, and if an ISP filters based on source, it’s a deal-breaker—I’ll switch to a different ISP.

评论 #41986456 未加载

评论 #41987293 未加载

评论 #41986347 未加载

评论 #41985374 未加载

评论 #41985324 未加载

评论 #42006800 未加载

评论 #41986602 未加载

buildbuildbuild7 个月前

The “someone hates Tor relays” theory doesn’t sound worth the effort. This could be an entity running malicious relays, while also trying to unethically take down legitimate relays to increase the percentage of the network that they control.

评论 #41989436 未加载

评论 #41991640 未加载

JoshTriplett7 个月前

> Which means, if you just find one transit provider which doesn’t do BCP38 filtering… you can send IP packets tagged with any source IP you want! And unfortunately, even though the origins of BCP38 date back to 1998… there are still network providers 25 years later that don’t implement it.What would it take to get enough network providers to start rejecting traffic from all ASes that don't implement this, so that spoofing was no longer possible?

评论 #41985352 未加载

评论 #41985692 未加载

cobbal7 个月前

It's a similar problem to swatting. It relies on authorities taking severe action against an unverified source of problems.I suppose a difference is that they use unaffiliated parties to send the complaint, instead of contacting the authority directly.

jmuguy7 个月前

It seems like systems shouldn't report abuse (at least automatically) for single packet, no round trip, requests unless its reaching denial of service levels of traffic (and maybe these are). Like in particular for SSH there's no way thats even a valid connection attempt until some sort of handshake has occurred.

评论 #41993175 未加载

评论 #41984496 未加载

nostrademons7 个月前

This is the IP version of SWATting, patent trolls, framing an innocent person, or using DMCA takedowns to remove the competition. It's basically weaponizing abuse-protection mechanisms to instead attack a target that is disliked. Interesting that the authorities can become a weak link here and be actively weaponized by unscrupulous actors to achieve their aims, but it's not really a new phenomena.

评论 #41997923 未加载

wizzwizz47 个月前

There's no in-band solution to this problem, but out-of-band solutions might exist! For example: (1) Notify the destination ISP that you're receiving backscatter. (2) That ISP checks where the packets are coming from, and notifies that ISP. (3) Repeat step 2 until source is found. (4) Quarantine that part of the network until it behaves better.At the end of the day, the internet is people.

评论 #41986724 未加载

评论 #41990269 未加载

评论 #41987377 未加载

ahofmann7 个月前

How difficult would it be to highjack this attack by sending these packages to everyone, so that providers like hetzner would get swamped with abuse emails? This way the attack would not work anymore. Either the honeypots would stop sending abuse emails, or the providers would filter those out.

评论 #41984450 未加载

评论 #41984422 未加载

评论 #41987718 未加载

skygazer7 个月前

This is likely a very naive question, but how did the spoofer know his IP was participating as an internal Tor node? From what vantage point can that be seen? I imagine internal Tor nodes must know to connect to each other, so it must propagate through Tor. Is the attacker also a Tor node? Is it trivial to map all Tor hosts?

评论 #41989045 未加载

评论 #41996493 未加载

m4637 个月前

gah, I remember once when I was working at a company, and we got an email complaining "stop hacking my systems!"in the end, we had a load-balancer at .1 balancing a bunch of backend servers.the complainer would have traffic to .1 that the load balancer would receive. Thing is, old or stale connections would drop out of the load balancer mapping table, and eventually the backend server connection would not get mapped, and the guy would get traffic direct from the backend server real ip address.the traffic was actually generated by the customer, but these "unrelated" backend servers looked like they were hacking him.

chaz67 个月前

This appears to be the website of the person(s) responsible: <a href="https://r00t.monster/" rel="nofollow">https://r00t.monster/</a>They have posted several screenshots of discussions among people affected on various channels, including Mastodon and the official #tor-relays channel on IRC.

stronglikedan7 个月前

Site seemed to be hugged when posting this comment, so:<a href="https://archive.is/Eb7TI" rel="nofollow">https://archive.is/Eb7TI</a>

71bw7 个月前

The way scrolling is implemented on that page is absolutely abhorrent.

评论 #41994021 未加载

评论 #41993153 未加载

flemhans7 个月前

Abuse reports are marketing messages at this point.

preciousoo7 个月前

This is pretty clever