Ask HN: Are Whois Abuse Reports Useful?

37 points by amony ↗ HN
Is it worth the time and effort to email the Whois abuse contacts when an IP is probing a web server? I see a lot of probes from IPs assigned to US companies such as Microsoft, Amazon and Google. They fill up my access logs with noise that costs money to store and takes time to deal with.

Is it worth my time to email these abuse contacts and ask them to stop? Should I just ignore it? Should I block the IPs?

Thanks for any advice.

43 comments

[ 5.2 ms ] story [ 95.9 ms ] thread
Is it worth the time and effort to email the Whois abuse contacts when an IP is probing a web server?

Not likely. Unless there is evidence captured proving someone hacked your machine and did damage, the reports to the domain owner will be ignored or never seen. Reports to the ISP will be ignored. Or worse, they wont be ignored and the ISP just pits you against the compromised server owner who will be in denial and/or won't know what to do.

I find it best to just set environment variables and ACL's to just ignore the attacks. Maybe send them to a dummy page served entirely from RAM or a ram disk and set logging to /dev/null. I would not even bother blocking them. The C&C nodes will detect an edge node can't reach you and will just try at some point from another compromised host. I'd just give them a lightweight error served from ram to reduce disk IO and bandwidth.

If you are bored, something fun to do is make pages that cause the bot to go into recursion loops on your site with dummy pages that have keywords like "Wordpress, cpanel, admin" and that link to each other ...etc. A clever error page can do this in a single page but make it look like infinite pages via relative links.

If the probes are to SSH then just use SSH keys and disable password authentication. Let them probe away. If it's really annoying then firewall restrict SSH to your ISP's CIDR blocks to reduce the noise, and/or move SSH to a high port to reduce noise not for security. If that is not enough I can suggest something that will make your SSH invisible to 90%+ of the bots without moving to a high port.

What's that suggestion?
To save myself some typing, here [1] is an example I used a while back that could be applied to ssh, or https or all ports if one was so daring. Ensure time is taken to watch tcpdump of your own connections so that the MSS range is set to something that allows your traffic. Look for my comment in that thread. Most legit non-vpn traffic will have an MSS of 1460. Most bots in asia have an MSS of 1398. Most in Russia 1424. Some Cisco devices are 1454. Qualys TLS test uses 1380. A majority of bots use masscan to find open ports and masscan does not even bother to set an MSS at all so any range will block them.

Be sure to run the tcpdump example in that thread for a while and open a second terminal to see your own SYN MSS size from both your workstation and from your phone if using a phone to SSH.

[1] - https://news.ycombinator.com/item?id=33129508

What is "probing"? Are these SSH log in attempts? Yes

Port Scans? Not worth the time.

Here are some examples. They are probing the website for vulnerabilities in web frameworks that I am not using. The probes are generating a lot of logs, incorrect referrer stats, etc:

    1.2.3.4 - - [15/Oct/2022:08:36:42 +0000] "GET /site/wp-includes/wlwmanifest.xml HTTP/1.1" 404 370 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"

    2.3.4.5 - - [15/Oct/2022:13:03:22 +0000] "GET /admin/controller/extension/extension/ HTTP/1.1" 404 370 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"

    3.4.5.6 - - [15/Oct/2022:05:41:00 +0000] "GET /1index.php HTTP/1.1" 404 370 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
This type of traffic is very common. We see thousands of these every day. A quick and easy solution to this would be to use Cloudflare's WAF. Would block most of this traffic before it reaches you.
Thank you. I would prefer to maintain full control of access to the site and not trust a large vendor such as CF. I know they have mechanisms that would stop this, but they may also impact normal users in a negative way.
if you want to remain in control, then do fire off abuse reports and consider firewalling off those IPs.
Could you elaborate on how they would impact normal users in a negative way? We rely heavily on CF so would be good to be knowledgeable about such things.
I run a publicly accessible web service, and get this stuff all the time.

My service happens to be fronted by nginx, so over time I accumulate config to match these and drop connections and drop from the logs entirely:

  location /wp-admin {
    access_log off;
    log_not_found off;
    return 444;
  }
(444 is a nonstandard error code that tells nginx to just close the connection, don't respond at all; if you want to be more mischievous you could return 301 "https://nsa.gov")
Yeah maybe spamming the NSA with a bunch of random bots whose only common attribute is your domain in the referrer tag is a bad idea.
I don’t think it’s illegal to redirect anyone anywhere. Either way, 301s don’t modify the referrer so they wouldn’t be able to tell.
I'm thinking that legal/illegal might not matter so much if you happen to annoy somebody at the NSA. And betting that they wouldn't be able to tell might prove regrettably over-optimistic.
Just ignore them.

Log analyser tools will exclude them from reports.

It's only worth reporting abuse if there's something the ISP might do about it. Report a hacked server hosting malware etc. Don't bother for this.

These aren't really actionable, it's part of the noise floor.

Scanners gonna scan, etc.

If you send an abuse report for these and it's processed, the user is going to tell the ISP, yeah, I'm running a vulnerability scan as a public service, and the scans are going to continue.

You can put rules like someone said or you can ignore it.

While some scans might come from that actual host owners, the vast majority are coming from compromised systems. If the ISP is responsible and investigates they will be shut off.

Most types of scanning also violate the terms of service for almost all ISPs so even if the owner does claim it's a public service there's a decent chance they'll be shut off. If the scanner is brute-forcing or trying to exploit known vulnerabilities, for example.

I know a lot of people will find this to be wishful thinking. I've run security for some fairly large businesses and reported more than my share of compromised hosts. Obviously we don't report every scanner because it's time consuming and the cost/benefit isn't there, but the percentage of companies that respond is far more than zero.

I would say though, that you're less likely to get a response from a Whois contact for the IP than from a domain contact or a contact listed on the primary website of the domain owner. Whois contacts get so much spam they often go un-monitored.

The kind of scanning visible in those logs has already been reported by a ton of automatic reporters.
You will never stop the almost zero effort attacks which are usually people scanning the entire internet for their small set of vulnerabilities. Only block or report abuse when an attack becomes persistent (trying to break a password) or if it seems like someone is actually targeting you.
There is a big effort right now by one of the working groups at ICANN to review dns abuse. They’re trying to address it because it IS a big problem. Even though the latest report says it’s going down globally. https://www.icann.org/en/blogs/details/icann-publishes-dns-a...

They are addressing it, though, and I believe there is a place for public comments.

The idea that these entirely ordinary uses of DNS constitute as "DNS abuse" is ridiculous.

Sure, maybe phishing and botnets are bad. (Just like maybe daily stormer, kiwifarms and reddit are bad). They're still all perfectly ordinary DNS users, they're not "abusing" DNS.

A botnet using botnet.com to find the IP address of the C&C server is no different than everyone else using google.com to find the IP address of the search engine.

I clicked on the article, and read it; then I clicked on the report. In neither did I find an explanation of what is meant by "DNS abuse".
“DNS abuse” in that context means “people pointing DNS records at servers with content I don’t like :(“

Unlike the name suggests, this has nothing to do with actual abuse of the domain name system.

No, this is equaly efficient as spending time on spam mail. Delete, filter, ignore.

> costs money to store and takes time to deal with

Are you storing requests long term? With sampling and a rolling window of history it shouldn't really affect you. I would spend my time optimizing that part than dealing with abuse forms.

>Is it worth my time to email these abuse contacts and ask them to stop? Should I just ignore it? Should I block the IPs?

Obviously not worth your time, unless your time is worth nothing, because that's exactly what you get in return. You will never receive any benefit whatsoever from emailing those abuse contacts.

You should just ignore it, even blocking the IPs isn't worth the effort.

>They fill up my access logs with noise that costs money to store and takes time to deal with.

If your access logs cost meaningful amounts of money to store, you should address that issue.

Storage costs something like $15 per TB, and you can safely assume around 6 years life expectancy. That's around $2.5 per year per terabyte of logs.

There's no way this abusive traffic is costing you even a dollar in log storage unless you're doing something utterly stupid.

> You will never receive any benefit whatsoever from emailing those abuse contacts.

I disagree. That’s like saying theres no point donating $5 to charity because it’s not enough to fund research.

The point is that if everyone reports the abusers, there will be fewer abusers in total, which directly impacts the amount of abuse you see on your end.

The “if I recycle, it’ll help” effect.

Their point is that such things usually don’t work. In the same way that consumer recycling doesn’t affect climate change (or other laudable goal), everyone tomorrow could email about a specific IP, and it’s a tossup whether it’ll change that one IP, let alone the others.

Your mistake is thinking that abuse reports you send can truly measurably reduce abuse.

It’s not true! Any IP address you see in your logs has almost certainly already had a ton of automated abuse reports sent about it.

Totally agree, although I do tend to accumulate and block ssh attempts just to lower the noise on systems (all key-only) that have a fair number of actual ssh users.

I have never, ever received a return message from an abuse@ address, except the automated no-reply.

About half the probes and brute-force attacks I get are from commercial VPS companies (looking at you, Digital Ocean). Send an abuse report to DO, I dare you. It’s a comical array of “your response will be ignored unless you use our abuse API”, which... is also ignored.

Edit: vpn -> vps

Yes absolutely. I work in big telco and I can assure you that any decent ISP reads those abuse reports and acts on them.

I have two stories I can only tell on this anonymous account. First as a kid I was nmap scanning carelessly from my boyhood room, trying to learn. Got a letter home a few days later with a warning from my ISP and a little booklet about "netiquette". Class acts in the 90s.

And fast forward to just 8 or so years ago at my current job I decide to host a service that got abuse complaints on company servers and IPs. My boss asks me if I know what's running on this VM with this IP and I had to fess up that it was me trying to use free resources.

Both cases stem from an abuse report where the reporter only had the IP to report on.

And actually now that I think about it, running Tor exit nodes at Linode they regularly contacted me due to abuse reports and we had to resolve them together.

So yes abuse emails should work, but of course there will be exceptions.

Abuse emails might occasionally work, but that hardly answers the question.

Abuse emails can be useful to the recipient.

Abuse emails do not benefit the sender in any way, there is no return on investment. It's just particularly unimpactful charity work.

The return is that you hopefully stop or punish the transgressions that caused you to send the abuse report.

But on second thought I must agree that it's probably the other way around, that people listening to abuse reports are the exception rather than the norm. I might have had some good experiences because I dealt with major ISPs in northern europe who are sticklers for the rules and processes.

> The return is that you hopefully stop or punish the transgressions that caused you to send the abuse report.

How is that a return? What genuine benefit can you draw from stopping one of the thousands of internet-wide scans from stopping your server?

Depending where you stand philosphically, I witnessed that "paying it forward" works. In this instance, if people start using whois abuse reports they will become more effective. Also, the few reports I submitted were always processed and led to (at least) a website reset.
I gave it a go when I was receiving spam from vodafone.pt.

I forwarded the message with a brief explanation to their abuse address.

The server responded saying "this server does not accept forwarded mail".

I told them about it on Twitter instead.

"Please DM us a screenshot."

A screenshot? That won't do much good. I included the headers too showing the provenance.

"Please forward it to our abuse address".

At this point I just laughed and stopped.

Fwiw, they told you to do the wrong thing. If you’re diagnosing spam, you want to include the original email as an attachment to the notification. Forwarding destroys useful information.
It is not so simple.

I've seen abuse complaints to the abuse contacts of the RIRs (that, in the end, are in the top of the chain of "owners" of those IP blocks) or intermediate owners that lease those ranges or distribute them among their clients. Sending to the wrong targets (specially, in an automated way, there are scripts that does that) will end you getting ignored, and the reports of the IPs that they actually use may get lost because the noise.

And besides that, there are different ways to use those addresses, and the owner of them may not know, or could not have policies to deal with them.

What you do with residential IPs? Will you block/penalize your users if somehow their connection was used to launch an attack? Even if they are not aware of that happened? Different ISPs in different countries could have different policies.

What about big hosting companies? There are more shades of grey there, specially when those outbound IP addresses could be used by several clients. For entire servers to vulnerable web applications in shared servers to ways to dynamic launching workloads with IPs from common pools, is not trivial.

But it should matter for small enough companies, where that activity was launched by their own administered servers, because exploited vulnerabilities or rogue employees. Or companies that take some action because internal or clients hostile activity.

Anyway, besides complaining to abuse reports, you have more ways of action. You can block IPs or IP blocks (if connections are coming from an ISP, country or hosting company where you not expect to get actual users for your service. You can use fail2ban or some WAF to block those IPs as soon as some known attack pattern is detected. Or you can use them to monitor your infrastructure, in the sense that if some of those attempts for an URL get a 200 status code or something like that launch an alert.

Also, using RDAP (https://en.wikipedia.org/wiki/Registration_Data_Access_Proto...) should be better than using whois.

I have been worked for an ISP in the past. Most of the abuse reports was automatic generated copyright infringements for users using P2Ps and we ignore them at all. Another big number of abuse reports come from "the internet police": pedantic users that complaint about receiving a port scanner or a malformed HTTP request on their servers. We barely ignore them too.

In any other cases, we care about it. Anyway, at least in Italy, ISP cannot do too much and responsabilitiy is up to the final user.

I seem to recall someone I knew who relied on them for sinkholing malware. He'd basically reverse engineer the command and control, write his own version, report the domain (usually some gibberish like kfgrgerrkritptjfnfkdnfffkergb.com), buy it as soon as it went on the market, and then take over the botnet associated with it to disable the thing and report it to affected companies. Pretty sure his company doing this got bought out by looking glass. Looking that technique up it seems Kaspersky did some of this too at one point: https://www.kaspersky.com/about/press-releases/2012_how-kasp...

I'm not entirely sure how effective or relevant this kind of method is these days but I wouldn't be surprised if it was something you could still pull off now.

Damn, that's badass, thanks for sharing this story.

In hindsight it seems like an obvious good approach, but in reality this is such a clever idea to hijack via poisoning the system. I wouldn't have thought to try this. I dig!

I worked at a registry when Conficker and co were big... you'd be amazed the amount of domain names we'd have to reserve every year to stay ahead of it. And that was just for the few tlds we ran.
The best response is to rate limit nuisance traffic to 1kbps, and setup fail2ban firewall rules to trip a ban on scans/bot-blind-probes.

In general, abuse reports are often useful for kicking users from services involved in illegal activities.

  If you don't get a response, than black-hole the entire IP blocks and their routes. i.e. play possum, and they will eventually get bored enough to find a softer target.  The other users are collateral damage, but if they aren't a customer... than who gives a toss.  =)
https://www.youtube.com/watch?v=aCbfMkh940Q
I have received reports via these channels that were extremely helpful. Once, an unconfigured OpenStack instance with default stack/stack password was sitting on a desktop in a corner and plugged into the wrong ethernet port and was publicly routable. It was compromised (possibly automatically) in short order and we only found out about it because of a kind whois abuse report.
YMMV. Anecdotally probably not. Investing time in filtering the noise is likely a better use of your time.

Below is a pro forma response from namesilo.com when I recently bothered to report an sms scam for a domain that was registered with them. Their ToS explicitly calls out illegal uses, which this was one, but they don't seem to really care enough about it.

===

ToS:

You represent and warrant that the statements in your application are true and that no Services are being procured for any unlawful purpose, including but not limited to the infringement of any intellectual property right, the unauthorized transfer to yourself or any other party of any domain name or Services, or the violation of any laws, rules, or regulations (the"Illegal Uses"). Providing inaccurate information and willful failure to update information within seven (7) days of any change, or failure to respond for over fifteen (15) days to inquiries concerning the accuracy of contact details associated with your registration, failing to immediately update information or engaging in any Illegal Uses will constitute an incurable material breach of this Agreement.

===

Hi,

Thank you for reporting this issue.

Please note we are only the domain name registrar and cannot validate or control the content posted on the site.

If you or your client are the holder of a trademark that you feel is being infringed upon via a domain name registered with us, you are advised to consider a UDRP dispute.

We will comply as required by ICANN rules upon the commencement of a UDRP dispute.

Main UDRP Bodies: National Arbitration Forum - adrforum.com. World Intellectual Property Organization (WIPO) - wipo.int *Asian Domain Dispute Resolution Centre (ADR) - adndrc.org

Czech Arbitration Court (CAC) - adr.eu

Resolution Canada - resolutioncanada.ca

If you are a copyright holder and believe your rights are being infringed, we recommend you file a DMCA complaint with the hosting provider of the associated web site. https://www.whoishostingthis.com/resources/dmca/

If you want to report a phishing case, please follow these steps: To create a case: 1) Visit new(.)namesilo(.)com/phishing_report(.)php 2) Fill in a the domain URL 3) Complete required information and click Continue. To report SPAM/SCAM please contact the hosting provider: This can be done by the hosting company of the website, which you can look up on this website: https://www.whoishostingthis.com/ Once you know the hosting provider, please look up their company information and contact them with the case. To report SPAM/SCAM please contact the hosting provider: This can be done by the hosting company of the website, which you can look up on this website: https://www.whoishostingthis.com/ Once you know the hosting provider, please look up their company information and contact them with the case.

You can also use the following pages to report the website: Malware: https://safebrowsing.google.com/safebrowsing/report_badware/ Scam and Fraud: https://secure.nclforms.org/nficweb/OnlineComplaintForm.aspx

Whois inaccuracy you may report here: https://forms.icann.org/en/resources/compliance/complaints/w... You may also discuss the case with your local law enforcement officer to seek help.

To limit the numb...