Portal Home > Knowledgebase > Articles Database > ABUSE Issues
ABUSE Issues
| Posted by hostpolis, 03-12-2012, 12:57 PM |
| Hi,
We are a vps provider with about 500 V-Servers. Recently we've been getting abuse tickets on Spam, Attacks and Copy right violations.
We could solve Spam by closing port 25 on switch level.
DMCA was fixed by null routing offending IPs.
Attacks! they are dynamic to our measures!
last week we were receiving abuse tickets on attacks such:
Our IP port 3389 Destination IP port 3389
Our IP port 445 Destination IP port 445
we closed 445 (inbound/outbound) and 3389(outbound)
This week we are getting such:
Our IP port 375 Destination IP port 3389
Our IP port 983 Destination IP port 3389
Our IP port 207 Destination IP port 3389
Our IP port 918 Destination IP port 3389
Our IP port 157 Destination IP port 3389
Our IP port 377 Destination IP port 3389
Our IP port 431 Destination IP port 3389
Our IP port 969 Destination IP port 3389
Our IP port 190 Destination IP port 3389
same thing on port 445
I highly appreciate any inputs.
|
| Posted by themedia, 03-12-2012, 02:05 PM |
| i don't think that what you are doing is an effective way to thwart abusers: closing ports. the abusers are still there. you should have a security expert take a look there, and find the abuser accounts, and secure the possible vulnerabilities that you have that allow them to perform these actions.
|
| Posted by hostpolis, 03-12-2012, 02:19 PM |
| Thanks for input.
I have access-lists on the port and I exactly know who are causing the abuses.
The fact is when you have your own internet connections you want to get the least abuse tickets not to get cut by your service provider.
So what I'm looking is a way to mitigate. Setting policies are not sufficient.
P.S I dont have access to all the V-Servers. and we are not willing to gain access to everything.
|
| Posted by SPINIKR-RO, 03-12-2012, 02:20 PM |
| It sounds like you have much larger issues if you are getting so many complaints about various things. Also null routing clients immediately for DCMA usually is not the way to handle them.
What are these abusers doing primarily, is this something that fraud checks will generally mitigate?
|
| Posted by hostpolis, 03-12-2012, 02:35 PM |
| for DMCA we've been fine for some time now after banning torrent on the net.
spam is also resolved.
My concern is only the attacks!
P.S. what do you mean by fraud check?
|
| Posted by n!ghtmare, 03-12-2012, 02:56 PM |
| Why would you block ports on the switch and not terminate the specific abusers?
|
| Posted by hostpolis, 03-12-2012, 02:57 PM |
| you mean RDP?
|
| Posted by Afterburst-Jack, 03-12-2012, 03:01 PM |
| He means suspending service... no wonder you're having a hard time if you keep people after they abuse your service.
|
| Posted by themedia, 03-12-2012, 03:02 PM |
| no, i think he means if the customers are repeating offenders, why don't you issue notices, and if they keep abusing, then terminate them. i know cash may be good, but if you allow them to abuse on and on, you are jeopardizing your entire business.
if they are not abusing themselves, and they have their servers vulnerable, it's endangering your operations and your relationship with your hosting datacenter.
|
| Posted by hostpolis, 03-12-2012, 03:10 PM |
| Exactly! what at the sametime I can't free up all the network ports and wait for complaints to come in!
This was when first we got our first notice to get cut off internet.
I guess my question is if anyone would have a suggestion on how to technically block offending outgoing ports.
|
| Posted by Afterburst-Jack, 03-12-2012, 03:11 PM |
| You've mentioned your own internet twice now. Please don't tell me you're home-hosting 500 clients..
You should focus on denying service to suspected abusers (e.g. people with 'booter' listed in the google results for their email, people with fake details) if it is being an issue. You can choose who you do business with, while it will reduce your intake, it will limit the amount of abuse situations you have to deal with. (Just make sure you refund anyone you decide not to serve..)
Last edited by Afterburst-Jack; 03-12-2012 at 03:15 PM.
|
| Posted by hostpolis, 03-12-2012, 03:18 PM |
| LOL,
I'm getting too local with my 2gbps connection. no I'm colocated in iWeb.
The ISP I'm working with is not very tolerant with abuse tickets. with a /22 I'm getting 12~15 abuse tickets per week. they can tolerate: 0 + maybe 1!
|
| Posted by Mastermind Networks, 03-12-2012, 03:19 PM |
| Just put on some brutal ToS when it comes to abuses and suspend the offenders for 24h the first time , then double the time for every next offense they make . That tends to wake them up .
|
| Posted by hostpolis, 03-12-2012, 03:37 PM |
| Will do.
at the mean time any suggestions for my OP?
|
| Posted by themedia, 03-12-2012, 03:54 PM |
| there are no offending ports, just offending PEOPLE. it's the customers issues you need to address not ports. if you block a port, they will find another way to abuse through other ports, and you are playing an useless cat and mouse game that will never end, and you will lose your business if you keep on thinking that blocking ports is in any way useful. the ball is in your court. clean your house, or risk losing your business.
|
| Posted by jcarney1987, 03-12-2012, 04:03 PM |
| It almost sounds like somebody it tweaking their script
|
| Posted by TeamHC, 03-13-2012, 02:15 AM |
| Yes that is what you have to do. When your DC is strict to abuse then you can also follow Zero tolerance on abuse issues. Issue warnings first, then terminate if they are not willing to co-operate.
|
| Posted by BA-Corey, 03-13-2012, 02:44 AM |
| With a /22 and they tolerate 0 abuse tickets? Sounds like you need to work with them on this and find a different provider. There are way to many customers you can fit in a /22 with VPS
|
| Posted by Miscis, 03-13-2012, 02:56 AM |
| Agreed.
You could probably also get them to change the abuse contact on the IPs to yours - it's not an unreasonable request from someone with a /22 of IP space and running a hosting provider. Or even look at getting your own IP space from ARIN.
|
| Posted by TeamHC, 03-13-2012, 03:08 AM |
| 22 means it is a good amount. You can SWIP details with your companies. But still ISP will be the first point of contact I believe.
|
| Posted by brianoz, 03-13-2012, 06:42 PM |
| You could look at changing your default VPS setup to make it harder to cause problems, for example:
Local firewall rules, for instance, eg CSF pre-installed and pre-configured.Write articles on how to avoid the problems and ensure users get these articles when they start up.Send a separate email on network/abuse policy shortly after signup.Make it clear you have zero tolerance (and no refund) for problems.Block all ports that should never be used, eg torrents, outgoing RDP, etc.Block the Spamhaus block list etc.Default limits on outgoing email per hour (cpanel allows this, but you could also add rules to raw exim).
A lot of the solutions to problems like this are actually not technical; so if you are having to work this hard to prevent problems you are almost certainly missing something in your customer process.
|
| Posted by hostpolis, 03-15-2012, 10:44 PM |
| Most of the abuse comes from those vpss that are created on a dedicated server account.
We do have strict settings on VPS environment but our dedi customers don't.
|
| Posted by hostpolis, 03-15-2012, 10:47 PM |
| I'm still getting abuse tickets as below all coming from caltech.edu
anyone knows anything about such patterns?
date.time srcIP srcPort dstIP dstPort proto
#pkts
0315.01:58:59.124 x.x.x.x 63627 192.41.x.x 445 6
2
0315.02:12:45.026 x.x.x.x 63808 192.12.x.x 445 6
2
0315.02:23:22.341 x.x.x.x 63026 192.12.x.x 445 6
2
0315.02:59:18.851 x.x.x.x 63702 192.41.x.x 445 6
2
0315.04:42:07.619 x.x.x.x 2590 134.4.x.x 3389 6
3
0315.05:19:24.911 x.x.x.x 63632 192.12.x.x 445 6
2
0315.06:14:01.572 x.x.x.x 62439 192.12.x.x 445 6
2
0315.08:17:37.973 x.x.x.x 3483 134.4.x.x 3389 6
To me, its a worm running vps to vps.
any inputs?
|
Add to Favourites 
Print this Article
Also Read
Select query (Views: 768)