[ANSWERED] - Abuse reports ignored?

woo · 2017-08-08 07:47:09 UTC

Hi Online team,

I keep sending abuse reports for the same three IPs every day (SIP bruteforce >200 failed logins per minute),
and every day I get the same mail back “oh we are so sorry, we had a virus”, “we have removed the offending program”…
but every morning my mailbox is full again with attack warnings from our IDS.
Who do I have to contact to finally have these offending servers shut down?
Your customers apparently do not do anything to resolve the issue, or they even run these attacks deliberately.
If this isn’t being taken care of soon, I will forward the abuse reports to your network providers to have the AS blackholed!

Regards
~woo

PierreAntoine · 2017-08-08 07:51:32 UTC

Hello,

Can you please give me an abuse number so I can check this?

We give 48 hours to customers to answer the abuse before the service gets locked, but I will check this

Thank you in advance

Best regards,
Pierre-Antoine
Online.net assistance

woo · 2017-08-08 08:04:06 UTC

Today’s ticket numbers are: A-183749 A-183750 A-183751
The abuse always gets closed with some kind of “we have fixed the problem” mail, but after an hour or two, the same IPs start sending bruteforce attacks again. Every day, for the last two weeks now.

PierreAntoine · 2017-08-08 08:18:21 UTC

After checks, we have done the necessary on the concerned servers.

The customer has been contacted.

Thank you for warning us about this

Best regards,
Pierre-Antoine
Online.net assistance

woo · 2017-08-10 07:43:36 UTC

yeah… the customer has been contacted, and the customer has sent the same “we are so sorry, we have told our user not to do this again” reply that I have seen so many times already… and after a pause of a few hours, the SIP bruteforce attacks start again.
(funny enough - the reply to the abuse report was exactly the same text for all three IPs, so I assume they are rented by the same customer…)
Tickets #183978 and #183979 today.
Either this customer is too stupid or lazy to actually fix their infected server, or they are deliberately taking part in whatever botnet is doing these attack.

PierreAntoine · 2017-08-10 08:52:03 UTC

I have forwarded your abuses to the concerned person.

Don’t hesitate to open more abuses if the answer does not suit you

Best regards,
Pierre-Antoine
Online.net assistance

gentlemon · 2017-08-10 11:29:38 UTC

so basically online.net allows / supports botnets and server abuse? lovely.

woo · 2017-08-10 11:50:16 UTC

I don’t say they allow it, but apparently even multiple complaints about the same customer don’t lead to much action.

I have now received a mail from the customer that rented the offending servers from Online.net, and it looks like they sub-rented them to someone else, who deliberately was running the attacks I saw.
Allegedly, they have been terminated. Let’s see whether things become more peaceful now.

Normally, I don’t bother much about writing abuse reports, there’s just too much noise on the internet nowadays… Fail2Ban usually takes care of that, blackholing IPs that come in at 4-5 failed login attempts… but when the bruteforce goes into the hundreds per minute, I think action needs to be taken. Unfortunately, many hosters and colo providers seem to lack good abuse handling… probably because it costs staff and doesn’t immediately lead to more sales.

PierreAntoine · 2017-08-10 12:28:30 UTC

Absolutly not!

It can happen unfortunetly, that some customers answer or lie on their answer to abuses but we make our best to contact them if that is the case

Best regards,
Pierre-Antoine
Online.net assistance

gentlemon · 2017-08-11 08:32:10 UTC

If they don’t do anything against it after so many reports, they allow / support it. Not caring is the same as allowing in this case.

If the malicious server still continues so bruteforce after x complaints, reduce bandwith to a minimum or lock down the server i.e. rescue mode. OVH is putting your server into rescue mode after some time. You should do the same.

woo · 2017-08-11 08:53:05 UTC

Tickets #184154 and #184155 today… same IPs as usual… so much for “we have terminated this customer”.

woo · 2017-09-05 07:49:13 UTC

Ticket #186612… the same IP as yesterday and most of last week, and the same IP that has been pestering me for months. How many tickets does it need for this customer to finally have his servers shut down?!

woo · 2017-09-06 07:54:57 UTC

Tickets #186951 #186952 #186953 for today… the same IPs, the same lame excuses in the replies as every day.
I am NOT going to tolerate this much longer. If you don’t terminate these servers until the end of this week, I WILL contact your uplink providers and have the whole datacenter disconnected! I am fed up with reporting the same bruteforce traffic every day again.

nahcurma · 2017-09-06 09:38:15 UTC

Would you be willing to post the IP addresses giving you problems? I’d like to see if it looks like the IP addresses Scaleway services have been giving me.

woo · 2017-09-06 12:02:33 UTC

62.210.96.3 is the worst offender, with >150 failed logins per minute,
195.154.199.155
62.210.146.182
62.210.188.203
these three are the runners-up at just below 100 failed logins per minute.
SIP bruteforce, trying to log in as extensions 100, 200, 300… with dictionary passwords.

woo · 2017-09-20 07:05:12 UTC

… and there I am going on vacation for a week, and when I come back, guess what’s in my IDS logs…
the same Online.net IPs as usual… up to 250 failed SIP logins per minute.
Tickets #188434 #188435 #188436
Why is it so hard to disconnect a customer who has been breaking the Terms of Service so many times?
Do I really need to take this to your uplink providers?!

Misteur · 2017-09-20 07:29:26 UTC

Hello,

Thank you for reporting it.

I have escalated your issue to my colleagues in charge in order to take rapid actions.
Please be assured that we take such report very seriously, but we also allow users to take care of the issue themselves first.

In your case, it seems like it didn’t work at all.

We will take the required actions.

Regards,
Mehdi Mebrouk

woo · 2017-09-20 07:53:30 UTC

It’s absolutely ok to let the users fix their issues themselves… but I’m getting the same abuse reply mails every day. “We have fixed our server, it will not happen again.” - and the next day the attacks continue. Same mails from the same customer, again and again and again. They don’t fix their servers, they just close the tickets.

If you read back in this thread, PierreAntoine already wrote this issue has been escalated, but nothing was done there either. Since I’m getting the same mails for all IPs that I report, I assume they are all owned by the same customer… and I understand that you don’t want to lose a bigger customer, but you really need to take abuse reports more seriously.

Misteur · 2017-09-20 08:12:13 UTC

I completely understand your concern, all I can say is that it has been forwarded to my colleagues and that we are now taking care of it.

It has nothing to do with the fact that someone is “protected” because he might be a “big customer”, we do not prioritize tasks that way, nor anyone is “immune”.

It seems like we made a mistake regarding your issue, and will now take a different approach.

In any case, thank you for reporting it to us and providing precise feedbacks.

Regards,
Mehdi Mebrouk

woo · 2017-09-22 11:10:07 UTC

Tickets 188815 188816 188817 for today… two of the IPs were yesterday reported to “have been fixed”… same as usual… nothing fixed, attacks continue…