Here’s a reason the hackers are winning:
Reason #2: Lazy good for nothing ISP / hosting company security teams & poor practices (#ISPidiots).
We operate our own RBL, Realtime Block List (although…most like to call it a black list or a black-hole list we don’t use that term and who cares anyway?). Our RBL parses access log files from derpy loser hackers trying to compromise systems. You know who more often than not lands on our list?
Amazon AWS…oh wait, did I mention GoDaddy?
The problem here is that most people, companies, enterprises, etc just BLOCK this activity. A company’s blog I subscribe to and enjoy reading from WordFence; a WordPress based firewall, quite often sends out great information about the latest WordPress attacks. These guys / gals sit there, see inbound threats and just report on it…THEY DON’T CONTACT THE ISP’s generally and just let it happen and continue watching it happen.
That’s problem #2…do nothing ISP’s, do nothing security companies and do nothing monitoring companies who see this traffic but do nothing about it. In the defense of WordFence there have been occasions when they’ve struck back…in fairness they’re pretty good BUT I don’t think they’re as proactive as I am.
You can usually report abuse to an abuse email…ICAAN requires you to have a technical contact for Internet resources like web addresses and IP addresses. Most companies have an abuse@ email address when you do a “whois” lookup. A whois lookup allows you to see who’s responsible for a domain name or an IP address.
We’ll pick on GoDaddy here for a moment. When you lookup a GoDaddy IP address.
whois -h whois.arin.net 18.104.22.168
Here we’re using “whois” and asking a specific host (-h), we’re asking the host name “whois.arin.net” for information on 22.214.171.124…GoDaddy’s IP address for GoDaddy.com.
OrgAbuseName: Abuse Department
OrgAbuseEmail: abuse [at] godaddy.com
Great…so if I see some abuse (and I do) coming from GoDaddy I can email their abuse department and have them take care of it right?
Not so fast:
Not so fast there little buckaroo! When you email that address you get an auto responder saying this:
As we continue to improve how we respond to internet abuse, you can really help us out by following these guidelines when you send us reports:
Include the domain and full path in the body of your email so we can properly process it.
Only send one report per domain to the correct email address (see below).
Multiple reports, and reports sent to the wrong email address, result in slower response times.
Do not alter the URL — if you received malware, phishing, or spam via email, please save it as a .eml attachment with full headers and attach it to your submission.
Who to contact:
…then they give you a big fat list of phishing@, copyright@, spam@, netabuse@, blah blah blah blah blah. And…isn’t it “Whom to contact” not “Who”…I’m the pot calling the kettle here I”m sure!
I get it, you GoDaddy are too big, have poor security and your abuse@ email address is pounded harder than schnitzel at a German restaurant. Think for a moment…why might that be GoDaddy? Because your security his horrible. If I didn’t block GD servers I’d have to submit abuse reports to them a dozen times a day. GD is one of the worst hacker networks on the planet next to Amazon…the two compete head to head on who has the weakest and dirtiest network online.
If you block GD at your firewall people get mad so the size and gravity of GD on the Internet causes a problem. This is also true for Amazon and AWS…everyone seems to use it and it sucks. Too many websites are with GD including email and other web services so you almost can’t block GD because someone needs to access resources on those networks more often than not. It’s a catch 22. They’re dirty scumbags but you can’t block them.
GoDaddy (GD) now obscures whether or not the abuse@ address even works, they want you to send to a more specific email and that’s a barrier to getting things done. You never hear back from them either on how it was resolved, what was going on…what caused the abuse, etc…they’re totally reactionary waiting for the abuse to come in so they can fix it. Basically…people like me are doing THEIR JOB! That’s just not fair!
It gets worse:
It gets worse, here are a few responses I received lately where the ISPs are basically saying…yeah, we know you and others are under attack and we’ll get to it. These are the ISPs who actually have an auto responder. Many do not in fact many ISPs especially foreign ones have abuse@ email addresses who’s inboxes are full or don’t work!
“Please wait for 3 working days for any request, If you don’t receive any update within 3 working days then call to our IRINN Office.
Please reply on the same mail for any new request and don’t raise multiple tickets.
There is no need to reply to this message right now. Your ticket has been assigned an ID of [IRINN #58272].
Please include the string [IRINN #58272] in the subject line of all future correspondence about this issue. To do so, you may reply to this message.
helpdesk [ at ] irinn.in”
Seriously…? I have to wait 3 friggin days meanwhile over the 72 hour possible period your dumb hacked host is busily abusing the Internet?! Are you kidding me?
Here’s a funny one from Quadranet:
“Your abuse report has been submitted to our Abuse Department.
*** IMPORTANT, PLEASE READ THE MESSAGE BELOW ***
Ensure that all abuse reports contain a single IP address in the body of your email. Failure to provide an IP address will cause a delay in abuse processing and multiple IP addresses may cause a delay in abuse processing.
Our typical reaction time is 72 hours. If your abuse issue isn’t handled within 96 hours please respond to this message or call us at: +1 213-614-9371 x1
You can also mail your report to our address:
530 W 6th Street Suite 901
Los Angeles, CA 90014″
What? Why would the abuse report need to only have a single IP address? What if I have multiple offenses coming from your hacked network? They go on to mention their typical response is 72 hours…72 hours!!! They must use the same company who handles abuse that irinn.in does (LULZ). What’s worse is they go on to say that after 96 hours…just call them OR write to them with a pencil and a piece of paper, seal it with a kiss and mail it to them. Are you kitten me meow?
Quadranet security is a joke…if you’re not laughing you should be…or maybe crying, you need a shoulder to cry on?
I have many more samples like this and that’s what’s sad. BlueHost & Hostgator…owned by Endurance International Group…even worse!
The hackers are winning and this is why…because they can easily stand up servers with loser VPS companies (Virtual Private Servers) like Linode for example (they went to the GoDaddy skewl of security, their entire team is a dud) who do nothing about abusive hosts trying to brute force your infrastructure for days on end. What’s worse is they’re making money like Linode knowingly hosting hackers so it’s a big conflict of interest. Hosting companies who host VPS say they have to contact their customer…and you wait. Forget that! Cut them off…if your customer can’t play nicely then they shouldn’t play at all. Look to see what that host is doing from the network packet side then block that abusive outbound traffic…I doubt they know how and they’re technically unsound or very limited in what they can do. Who’s fault is that? The hosting companies and ISP’s that’s who! Hackers have more power on their infrastructure than they do!
ISPs and hosting companies need to get it together, crack down and respond quicker. End of story, they need to believe the abuse report and not string incident response out for days on end. They need to maintain abuse@ email boxes that don’t fill up, that work and are monitored. They need to make it EASY to stop the abuse and not let it continue. That includes Google, Microsoft, Amazon, RackSpace, GoDaddy to name a few…the big one’s are the worst, they just are…
If you need assistance securing your network reach out to us. There’s more to securing your network than just a firewall. You need to get a security stack in place from the edge to your core and we know how to make it happen.
Comments or questions are welcome.