[anti-abuse-wg] Abuse Report ignored. What to do as next?
- Previous message (by thread): [anti-abuse-wg] Abuse Report ignored. What to do as next?
- Next message (by thread): [anti-abuse-wg] Open consultation invitation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
U.Mutlu
security at mutluit.com
Thu Nov 2 11:53:18 CET 2023
Just to give a feedback: Yesterday I had complained about the said IP 80.94.95.181 also to RIPE NCC via their WebMail contact page, which went to support at ripe.net and opened a ticket: https://www.ripe.net/contact-form Luckily the worst hacking attempts originating from these IPs finally have stopped since today morning at around 08:25 : 80.94.95.181 45.129.14.106 They tried for many weeks. They both belong to the same said company and have the same abuse contact: % Abuse contact for '80.94.95.0 - 80.94.95.255' is 'internethosting-ltd at yandex.ru' % Abuse contact for '45.129.14.0 - 45.129.14.255' is 'internethosting-ltd at yandex.ru' Currently the other mass hacking attacks are coming from the following IPs, but an Abuse Report has not been filed yet, still monitoring & collecting evidence: 141.98.11.68 141.98.11.82 185.162.235.225 U.Mutlu wrote on 11/01/23 19:44: > Thank you for your interesting analysis. > > Is then RIPE not a "partner in crime" for such criminal companies? > B/c it seems RIPE does not take any action against such evidently > criminal members abusing the network and the other members and users. > RIPE just says this ( https://www.ripe.net/support/abuse ): > " > ... > At the RIPE NCC, we allocate blocks of IP addresses to ISPs and > other organisations, but we have no involvement in how these > addresses are used by their users. > ... > However, we can help you find out who is abusing your network > by providing you with the relevant network operator contact details. > Our role is to ensure that all abuse contacts are valid and > up-to-date in the RIPE Database. From there, it is the > responsibility of the network operator to handle your abuse report. > There is nothing we can do if a network operator chooses not to reply. > ... > " > > IMO, RIPE very well can do some more, and needs to do some more... > > > > Natale Maria Bianchi wrote on 11/01/23 19:06: >> On Wed, Nov 01, 2023 at 01:55:42PM +0100, John Levine wrote: >>> It appears that ? ngel Gonzalez Berdasco via anti-abuse-wg >>> <angel.gonzalez at incibe.es> said: >>>>> Just block their network 80.94.95.0/24 and forget about it. >>> >>>> organisation: ORG-BA1515-RIPE >>>> org-name: BtHoster LTD >>>> country: GB >>>> org-type: OTHER >>>> address: 26, New Kent Road, London, SE1 6TJ, UNITED KINGDOM >>> >>> If you look at that address on Google stret view, you will see a late >>> 2022 picture of a construction site. >>> >>> Unless you care enough to contact their transit providers and try >>> and get them disconnected, I wouldn't waste more time on it. >> >> BtHoster is indeed a well known bulletproof hoster, and nothing good can be >> expected also from the other two blocks announced by AS204428, 87.246.7.0/24 >> and 212.70.149.0/24 (4media.bg/4vendeta.com, who also have much cleaner >> ranges directly behind their own AS50360). BtHoster also has AS198465, >> today announcing 45.129.14.0/24 and 77.90.185.0/24. >> >> Sending abuse reports to these places is - how to say? - a bit naive. >> Abuse is their core business. You can see for instance BtHoster's ad in >> https://bitcointalk.org/index.php?topic=5407833.0 : >> >> RDP FOR SCAN/BRUTE - PRICE 10 $ /MONTH >> WHM FOR PISHING WITH UNLIMITED DOMAIN LICENSE -PRICE 130 $ /MONTH >> RESELLER FOR RDP WITH PANEL -PRICE 150 $ + IP /MONTH >> SERVER FOR SCAN/BRUTE 32 GB RAM -PRICE 130 $ /MONTH >> >> So the "ignoring" is fully expected, it is a feature of their hosting offer. >> The best action is to completely prevent their packets from entering your >> networks >> through protection at the network edge. This is precisely what our >> DROP/EDROP/ASN-DROP >> free datasets are for: block all packets on the edge router. >> >> Of course, like it or not, the people behind this are members of this >> community, read these >> lists, make posts, etc, and of course they would not be connected to the >> Internet if there >> weren't facilitating ISPs between them and backbones - in this case the >> operators of >> AS47890, AS202425 and the abovementioned AS50360. These are also part of >> the abuse >> ecosystem. >> >> The two-layered approach is essential for the stability of their connectivity - >> otherwise the backbones would just cut them off. When pressure from >> backbones becomes >> excessive and the intermediary is forced to disconnect them, they change >> intermediary >> or they create a new company, get a new ASN and move the operation so that >> reputation >> restarts from zero. These patterns are very established, and cause a >> considerable >> ASN turnaround. RIPE NCC apparently noted a high number of ASNs being >> abandoned >> [https://www.ripe.net/ripe/mail/archives/address-policy-wg/2023-June/013757.html] >> >> but does not seem to note the relation with abuse that should explain a >> fraction >> of them. >> >> Natale M Bianchi >> Spamhaus Project
- Previous message (by thread): [anti-abuse-wg] Abuse Report ignored. What to do as next?
- Next message (by thread): [anti-abuse-wg] Open consultation invitation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]