Ask HN: Are Whois Abuse Reports Useful?
Is it worth the time and effort to email the Whois abuse contacts when an IP is probing a web server? I see a lot of probes from IPs assigned to US companies such as Microsoft, Amazon and Google. They fill up my access logs with noise that costs money to store and takes time to deal with.
Is it worth my time to email these abuse contacts and ask them to stop? Should I just ignore it? Should I block the IPs?
Thanks for any advice.
43 comments
[ 5.2 ms ] story [ 95.9 ms ] threadNot likely. Unless there is evidence captured proving someone hacked your machine and did damage, the reports to the domain owner will be ignored or never seen. Reports to the ISP will be ignored. Or worse, they wont be ignored and the ISP just pits you against the compromised server owner who will be in denial and/or won't know what to do.
I find it best to just set environment variables and ACL's to just ignore the attacks. Maybe send them to a dummy page served entirely from RAM or a ram disk and set logging to /dev/null. I would not even bother blocking them. The C&C nodes will detect an edge node can't reach you and will just try at some point from another compromised host. I'd just give them a lightweight error served from ram to reduce disk IO and bandwidth.
If you are bored, something fun to do is make pages that cause the bot to go into recursion loops on your site with dummy pages that have keywords like "Wordpress, cpanel, admin" and that link to each other ...etc. A clever error page can do this in a single page but make it look like infinite pages via relative links.
If the probes are to SSH then just use SSH keys and disable password authentication. Let them probe away. If it's really annoying then firewall restrict SSH to your ISP's CIDR blocks to reduce the noise, and/or move SSH to a high port to reduce noise not for security. If that is not enough I can suggest something that will make your SSH invisible to 90%+ of the bots without moving to a high port.
Be sure to run the tcpdump example in that thread for a while and open a second terminal to see your own SYN MSS size from both your workstation and from your phone if using a phone to SSH.
[1] - https://news.ycombinator.com/item?id=33129508
Port Scans? Not worth the time.
My service happens to be fronted by nginx, so over time I accumulate config to match these and drop connections and drop from the logs entirely:
(444 is a nonstandard error code that tells nginx to just close the connection, don't respond at all; if you want to be more mischievous you could return 301 "https://nsa.gov")Log analyser tools will exclude them from reports.
It's only worth reporting abuse if there's something the ISP might do about it. Report a hacked server hosting malware etc. Don't bother for this.
Scanners gonna scan, etc.
If you send an abuse report for these and it's processed, the user is going to tell the ISP, yeah, I'm running a vulnerability scan as a public service, and the scans are going to continue.
You can put rules like someone said or you can ignore it.
Most types of scanning also violate the terms of service for almost all ISPs so even if the owner does claim it's a public service there's a decent chance they'll be shut off. If the scanner is brute-forcing or trying to exploit known vulnerabilities, for example.
I know a lot of people will find this to be wishful thinking. I've run security for some fairly large businesses and reported more than my share of compromised hosts. Obviously we don't report every scanner because it's time consuming and the cost/benefit isn't there, but the percentage of companies that respond is far more than zero.
I would say though, that you're less likely to get a response from a Whois contact for the IP than from a domain contact or a contact listed on the primary website of the domain owner. Whois contacts get so much spam they often go un-monitored.
They are addressing it, though, and I believe there is a place for public comments.
Sure, maybe phishing and botnets are bad. (Just like maybe daily stormer, kiwifarms and reddit are bad). They're still all perfectly ordinary DNS users, they're not "abusing" DNS.
A botnet using botnet.com to find the IP address of the C&C server is no different than everyone else using google.com to find the IP address of the search engine.
Unlike the name suggests, this has nothing to do with actual abuse of the domain name system.
> costs money to store and takes time to deal with
Are you storing requests long term? With sampling and a rolling window of history it shouldn't really affect you. I would spend my time optimizing that part than dealing with abuse forms.
Obviously not worth your time, unless your time is worth nothing, because that's exactly what you get in return. You will never receive any benefit whatsoever from emailing those abuse contacts.
You should just ignore it, even blocking the IPs isn't worth the effort.
>They fill up my access logs with noise that costs money to store and takes time to deal with.
If your access logs cost meaningful amounts of money to store, you should address that issue.
Storage costs something like $15 per TB, and you can safely assume around 6 years life expectancy. That's around $2.5 per year per terabyte of logs.
There's no way this abusive traffic is costing you even a dollar in log storage unless you're doing something utterly stupid.
I disagree. That’s like saying theres no point donating $5 to charity because it’s not enough to fund research.
The point is that if everyone reports the abusers, there will be fewer abusers in total, which directly impacts the amount of abuse you see on your end.
Their point is that such things usually don’t work. In the same way that consumer recycling doesn’t affect climate change (or other laudable goal), everyone tomorrow could email about a specific IP, and it’s a tossup whether it’ll change that one IP, let alone the others.
It’s not true! Any IP address you see in your logs has almost certainly already had a ton of automated abuse reports sent about it.
I have never, ever received a return message from an abuse@ address, except the automated no-reply.
About half the probes and brute-force attacks I get are from commercial VPS companies (looking at you, Digital Ocean). Send an abuse report to DO, I dare you. It’s a comical array of “your response will be ignored unless you use our abuse API”, which... is also ignored.
Edit: vpn -> vps
I have two stories I can only tell on this anonymous account. First as a kid I was nmap scanning carelessly from my boyhood room, trying to learn. Got a letter home a few days later with a warning from my ISP and a little booklet about "netiquette". Class acts in the 90s.
And fast forward to just 8 or so years ago at my current job I decide to host a service that got abuse complaints on company servers and IPs. My boss asks me if I know what's running on this VM with this IP and I had to fess up that it was me trying to use free resources.
Both cases stem from an abuse report where the reporter only had the IP to report on.
And actually now that I think about it, running Tor exit nodes at Linode they regularly contacted me due to abuse reports and we had to resolve them together.
So yes abuse emails should work, but of course there will be exceptions.
Abuse emails can be useful to the recipient.
Abuse emails do not benefit the sender in any way, there is no return on investment. It's just particularly unimpactful charity work.
But on second thought I must agree that it's probably the other way around, that people listening to abuse reports are the exception rather than the norm. I might have had some good experiences because I dealt with major ISPs in northern europe who are sticklers for the rules and processes.
How is that a return? What genuine benefit can you draw from stopping one of the thousands of internet-wide scans from stopping your server?
I forwarded the message with a brief explanation to their abuse address.
The server responded saying "this server does not accept forwarded mail".
I told them about it on Twitter instead.
"Please DM us a screenshot."
A screenshot? That won't do much good. I included the headers too showing the provenance.
"Please forward it to our abuse address".
At this point I just laughed and stopped.
I've seen abuse complaints to the abuse contacts of the RIRs (that, in the end, are in the top of the chain of "owners" of those IP blocks) or intermediate owners that lease those ranges or distribute them among their clients. Sending to the wrong targets (specially, in an automated way, there are scripts that does that) will end you getting ignored, and the reports of the IPs that they actually use may get lost because the noise.
And besides that, there are different ways to use those addresses, and the owner of them may not know, or could not have policies to deal with them.
What you do with residential IPs? Will you block/penalize your users if somehow their connection was used to launch an attack? Even if they are not aware of that happened? Different ISPs in different countries could have different policies.
What about big hosting companies? There are more shades of grey there, specially when those outbound IP addresses could be used by several clients. For entire servers to vulnerable web applications in shared servers to ways to dynamic launching workloads with IPs from common pools, is not trivial.
But it should matter for small enough companies, where that activity was launched by their own administered servers, because exploited vulnerabilities or rogue employees. Or companies that take some action because internal or clients hostile activity.
Anyway, besides complaining to abuse reports, you have more ways of action. You can block IPs or IP blocks (if connections are coming from an ISP, country or hosting company where you not expect to get actual users for your service. You can use fail2ban or some WAF to block those IPs as soon as some known attack pattern is detected. Or you can use them to monitor your infrastructure, in the sense that if some of those attempts for an URL get a 200 status code or something like that launch an alert.
Also, using RDAP (https://en.wikipedia.org/wiki/Registration_Data_Access_Proto...) should be better than using whois.
In any other cases, we care about it. Anyway, at least in Italy, ISP cannot do too much and responsabilitiy is up to the final user.
I'm not entirely sure how effective or relevant this kind of method is these days but I wouldn't be surprised if it was something you could still pull off now.
In hindsight it seems like an obvious good approach, but in reality this is such a clever idea to hijack via poisoning the system. I wouldn't have thought to try this. I dig!
In general, abuse reports are often useful for kicking users from services involved in illegal activities.
https://www.youtube.com/watch?v=aCbfMkh940QBelow is a pro forma response from namesilo.com when I recently bothered to report an sms scam for a domain that was registered with them. Their ToS explicitly calls out illegal uses, which this was one, but they don't seem to really care enough about it.
===
ToS:
You represent and warrant that the statements in your application are true and that no Services are being procured for any unlawful purpose, including but not limited to the infringement of any intellectual property right, the unauthorized transfer to yourself or any other party of any domain name or Services, or the violation of any laws, rules, or regulations (the"Illegal Uses"). Providing inaccurate information and willful failure to update information within seven (7) days of any change, or failure to respond for over fifteen (15) days to inquiries concerning the accuracy of contact details associated with your registration, failing to immediately update information or engaging in any Illegal Uses will constitute an incurable material breach of this Agreement.
===
Hi,
Thank you for reporting this issue.
Please note we are only the domain name registrar and cannot validate or control the content posted on the site.
If you or your client are the holder of a trademark that you feel is being infringed upon via a domain name registered with us, you are advised to consider a UDRP dispute.
We will comply as required by ICANN rules upon the commencement of a UDRP dispute.
Main UDRP Bodies: National Arbitration Forum - adrforum.com. World Intellectual Property Organization (WIPO) - wipo.int *Asian Domain Dispute Resolution Centre (ADR) - adndrc.org
Czech Arbitration Court (CAC) - adr.eu
Resolution Canada - resolutioncanada.ca
If you are a copyright holder and believe your rights are being infringed, we recommend you file a DMCA complaint with the hosting provider of the associated web site. https://www.whoishostingthis.com/resources/dmca/
If you want to report a phishing case, please follow these steps: To create a case: 1) Visit new(.)namesilo(.)com/phishing_report(.)php 2) Fill in a the domain URL 3) Complete required information and click Continue. To report SPAM/SCAM please contact the hosting provider: This can be done by the hosting company of the website, which you can look up on this website: https://www.whoishostingthis.com/ Once you know the hosting provider, please look up their company information and contact them with the case. To report SPAM/SCAM please contact the hosting provider: This can be done by the hosting company of the website, which you can look up on this website: https://www.whoishostingthis.com/ Once you know the hosting provider, please look up their company information and contact them with the case.
You can also use the following pages to report the website: Malware: https://safebrowsing.google.com/safebrowsing/report_badware/ Scam and Fraud: https://secure.nclforms.org/nficweb/OnlineComplaintForm.aspx
Whois inaccuracy you may report here: https://forms.icann.org/en/resources/compliance/complaints/w... You may also discuss the case with your local law enforcement officer to seek help.
To limit the numb...