My Linode has been targeted. How can I file an Abuse Report to the ISP of the attacker?
I've noticed malicious attacks targeting my Linode; different applications, ssh, etc. How can I file an Abuse Report to the ISP where the attacks originate from in order to stop this malicious activity?
In order to submit an Abuse Report, you'll need to know which ISP the attacks originate from and have the infringing evidence to submit.
Obtaining ISP Information
There are two commands that will allow you to obtain the public information needed to submit an Abuse Report to an ISP:
First, you'll need to obtain the IP address where the malicious attacks/content originate. Let's say you notice a phishing site. Then, you can run the dig command on the root domain:
You'll find an A record in the ANSWER SECTION of the output.
Once you have the IP address, you can run the
whois command to determine two things: (1) who is the Internet Service Provider (2) what is their abuse contact information
You can also pipe this output through grep to easily obtain the abuse email you'd need to contact:
whois ip.address.found | grep abuse
Alternatively, you can use the following sites to obtain this information:
Domain Name Lookup
Whois IP Lookup
So, now you have the email address that you need to contact. Now, what you'll need when sending the report are the evidence of the attack.
I'd recommend including:
- Log files of malicious activity
- Headers of the spam email
- Direct links to phishing/copyrighted material
You can also find evidence of attacks from your log files, such as
auth.log. These other posts from our community site may help you in locating and accessing these files:
Now, you should have everything you need to put together an actionable email. Depending on the ISP's reporting requirements, they may require additional information, but these steps should start you off in the right direction. I hope this helps you thwart attacks targeting your Linode.
Finally, to defend against these attacks, I'd recommend taking some steps to enhance your Linode's security. These posts and guides (along with those previously referenced) offer great tools and suggestions:
Welcome to the real world! I get tons of these a day…mostly from the Russians & Chinese. Currently the blacklists in my firewall clock in at:
- 46104 unique, non-overlapping IPv4 nets
- 159243 unique IPv4 nodes
- 19595 unique, non-overlapping IPv6 nets
- 7 unique IPv6 nodes
My /var/log/kern.log* files are gigantic…mostly filled with entries like this:
May 21 09:33:55 <redacted> kernel: [1028400.911951] BLACKLIST-IN:IN=eth0 OUT= MAC=<redacted> SRC=18.104.22.168 DST=<redacted> LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=2404 PROTO=TCP SPT=6663 DPT=23 WINDOW=4879 RES=0x00 SYN URGP=0
This happens to be an unauthorized ftp attempt from Taiwan (from Hinet…a well-known Taiwanese purveyor of spam).
I implemented this blacklist scheme so fail2ban(1) wouldn't have to work as hard and I would have more immediate protection (there's a lag between the time of the intrusion attempt and the time fail2ban(1) detects it and takes action). The blacklists include several countries (identified by 2-letter ISO codes). By far, the biggest offenders are RU (Russian Federation) and CN (Peoples' Republic of China)…plus several of their proxies around the world. There are several smaller offenders as well (e.g. Digital Ocean).
If you haven't implemented fail2ban(2), you should do it…now!
If the offending ISP is not in the US or Canada, save your breath. Even the big American ISPs (Comcast, Amazon, Microsoft, Google) will just send you a terse and content-free response with no follow up.
It's better to be proactive and protect yourself than to wait for someone else to do it for you! Unfortunately, this kind of activity is de rigeur in several regions of the world and no one (especially someone who's making money off it) is going to protect you!