Why VPS is part of the problem and not the solution:
What? My VPS (Virtual Private Server hosting provider) and web hosting provider is an IT loser? What’s that even mean you angry angry person?!
What we mean by this is more general than specific but yeah, they are! Take the typical hosting companies I like to beat up on:
- EIG properties BlueHost and HostGator (and many more)
- …there are more but those are at the top of my mind.
There are probably now billions of attacks going on all the time on the Internet every day. It’s like you’re a little homesteader in the wild wild west on a busy trail and at random people will shoot into your house, they’ll lob arrows, maybe they throw a Molotov cocktail or just yell HEY YOU! All…day…long, 24 hours per day, 7 days per week, 365 days per year. That little homestead is your server, your network or maybe your website.
On our infrastructure our honey pot is the bot that watches for the drive bys (the arrow lobbers and Molotov cocktail throwers or the idiot screamers). When the honey pot bot sees an unsolicited knocker they’re added to the block list and often I’ll report the serious abusers to their ISP’s or hosting providers. I don’t see much difference between and ISP and a hosting provider like the VPS companies because they’re “serving” Internet to your server. Much like your ISP at your home or your office who are “serving” Internet to you at those locations. The VPS serves Internet to those little homesteads.
The way it works then when I contact the ISPs and the hosting providers goes like this:
- Hey ISP and hosting provider, this host at IP address 126.96.36.199 is spamming or brute forcing and here’s the log file evidence or at least the email alert with partial information on it for you.
- If their email box isn’t full I may or may not get a reply. Sometimes it’s automated or sometimes the ISP and hosting provider asks me for more information.
This is where I get mad and call them IT losers, swear at them, rip their head off and call them do-nothings! Why? Because at this point I’M DOING THEIR JOB FOR THEM!!!
Most of those VPS companies don’t have access to the customer VPS. They claim because of this they have to tell the customer there’s a problem and when I get push back (particularly from Linode these days [Uber IT Losers and I’ve told them this in not so kind words]) from the VPS and hosting companies. The ultimate problem for these VPS’s is that their practically giving away easy to setup servers for near zero dollars. They’re leveraged and exploited by malicious people who, when reported the VPS doesn’t do anything or pushes back asking you to bend over backwards with evidence when it should be good enough that I lifted a finger at all and sent them an email with some evidence! The mere fact that I reached out to them should be a clue! The hilarious thing about the VPS’s that I’ve had back and forths with (in particular again Linode who I verbally abuse violently for affect) say they’re passionate about security, they have very talented people on their security team, blah blah blah blah – BLAH! Not true!
If they were so talented then why are they looking to me for “evidence”…they always seem to want more. Why? Because all they do is chop out my evidence and pass it along to their customer. They’re nothing more than middle men who appear to their customer like their VPS is on top of things when it’s really folks like me who are reporting the VPS’s hacked infrastructure. The VPS security team takes my hard work (logs, evidence, etc) only to steal it and pass it off to the customer as though it’s theirs. They’re passionate about us doing their work for them! They won’t say it like that but that’s what it’s all about on a VPS security team. No lie…yes reporter of nefarious activity on our network, please…send me your complaint so I can cut and paste the good parts of evidence and give it to our customers.
Quite frankly, that’s NOT a security team that’s a middle man telephone game you’re playing.
The solution for the IT loser VPS’s is to give their support them the tools to manipulate their networking infrastructure WITHOUT touching the VPS. For example, if I report a brute force attack from IP address 188.8.131.52 from your network on port 22 how about throttling that IP address’s 184.108.40.206 outbound TCP connections per minute to 5? That way they will be throttled and the abuse mitigated while you send your copy and paste email from me to your customer. Lets assume for a minute you’re IP address is hosting malware via a web site on IP address 220.127.116.11. How about you throttle inbound TCP on port 80 until you can send the copy and paste email from me to your customer?
Here’s another idea…how about you MONITOR (which they don’t do, they say but don’t do) what each host typically consumes on all protocols in and out. THEN…if there’s a spike say on outbound FTP because some malware on a hacked server is trying to FTP itself and spread around on the Internet you’d see a spike out of the normal range from that host and you’d look at my report of a brute force FTP attack to my infrastructure and say…yeah, you know what…he’s right! We see an unusual amount of FTP traffic from IP address 18.104.22.168. Lets throttle that TCP outbound connection on port 21 and notify our customer.
That’s the solution! Unfortunately hosting companies like Linode are greedy, they don’t want to make their customers mad even if they’re hacked or malicious themselves because they’re making money from those criminals. In fact, companies like OVH and Linode are the problem. OVH had a big media campaign as though they were doing something about the problem on their infrastructure. They have 24/7 abuse watchers. Well; OVH is MORE embarrassing than Linode. At least Linode doesn’t pretend do be doing something about the problem, they’re happy letting me do their work for them but OVH is a special kind of derp.
Here’s their abuse page at OVH: Link
“As part of our fight against Abuse, OVH has set up an international team of experts who respond daily to reports of abuse on behalf of the whole group. This team, which is based in France and Canada, deals everyday with all reports of illegal conduct on the OVH network, and they aim to do so in the shortest possible time. To facilitate our work, and due to the international nature of our team, we ask that you provide your reports in English so that they can be understood and dealt with effectively by our team. “
As part of their fight…what’s the other part? They’ve setup an “international team of experts”. Notice what they do..they deal “…with all REPORTS…”. The REPORTS, more of the same…they just pass the information I give them to their customers just like Linode. They don’t ACTUALLY DO ANYTHING!
OVH hosts LOTS of malware and it’s no surprise they have bandwidth problems. Nobody there actively monitors their host protocol averages.
The real solution then is to monitor, monitor, monitor, use abuse reports BUT try to be proactive when a server gets out of line and give your staff the tools they need to actually make a difference. Your customers; if they’re legitimate, will understand AND they’ll be thankful you mitigated the issues on their behalf. You don’t need access to the server to squelch issues.
If you need assistance with securing your Internet facing server, VPS or internal corporate network look to EITS! We understand how engineering solutions get done and have the consortium of experts to transform your infrastructure into a more secure place.
Comments or questions are welcome.