My Linode has been targeted. How can I file an Abuse Report to the ISP of the attacker?

Linode Staff

I've noticed malicious attacks targeting my Linode; different applications, ssh, etc. How can I file an Abuse Report to the ISP where the attacks originate from in order to stop this malicious activity?

2 Replies

Linode Staff

In order to submit an Abuse Report, you'll need to know which ISP the attacks originate from and have the infringing evidence to submit.

Obtaining ISP Information

There are two commands that will allow you to obtain the public information needed to submit an Abuse Report to an ISP: dig and whois

First, you'll need to obtain the IP address where the malicious attacks/content originate. Let's say you notice a phishing site. Then, you can run the dig command on the root domain:

dig examplebadsite.com

You'll find an A record in the ANSWER SECTION of the output.

Once you have the IP address, you can run the whois command to determine two things: (1) who is the Internet Service Provider (2) what is their abuse contact information

whois ip.address.found

You can also pipe this output through grep to easily obtain the abuse email you'd need to contact:

whois ip.address.found | grep abuse

Alternatively, you can use the following sites to obtain this information:

Domain Name Lookup

https://www.whatismyip.com/ip-whois-lookup/

Whois IP Lookup

https://www.whatismyip.com/ip-whois-lookup/

Gathering Evidence

So, now you have the email address that you need to contact. Now, what you'll need when sending the report are the evidence of the attack.

I'd recommend including:

  • Log files of malicious activity
  • Headers of the spam email
  • Direct links to phishing/copyrighted material

You can also find evidence of attacks from your log files, such as auth.log. These other posts from our community site may help you in locating and accessing these files:

How do I check my server's log files?

I've noticed some suspicious activity on my Linode, what do I do?

Now, you should have everything you need to put together an actionable email. Depending on the ISP's reporting requirements, they may require additional information, but these steps should start you off in the right direction. I hope this helps you thwart attacks targeting your Linode.

Finally, to defend against these attacks, I'd recommend taking some steps to enhance your Linode's security. These posts and guides (along with those previously referenced) offer great tools and suggestions:

What is an Easy Way to Secure My Server?

Securing Your Server

A Tutorial for Using Fail2ban to Secure Your Server

Firewalls

Welcome to the real world! I get tons of these a day…mostly from the Russians & Chinese. Currently the blacklists in my firewall clock in at:

  • 46104 unique, non-overlapping IPv4 nets
  • 159243 unique IPv4 nodes
  • 19595 unique, non-overlapping IPv6 nets
  • 7 unique IPv6 nodes

My /var/log/kern.log* files are gigantic…mostly filled with entries like this:

May 21 09:33:55 <redacted> kernel: [1028400.911951] BLACKLIST-IN:IN=eth0 OUT= MAC=<redacted> SRC=59.127.89.218 DST=<redacted> LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=2404 PROTO=TCP SPT=6663 DPT=23 WINDOW=4879 RES=0x00 SYN URGP=0 

This happens to be an unauthorized ftp attempt from Taiwan (from Hinet…a well-known Taiwanese purveyor of spam).

I implemented this blacklist scheme so fail2ban(1) wouldn't have to work as hard and I would have more immediate protection (there's a lag between the time of the intrusion attempt and the time fail2ban(1) detects it and takes action). The blacklists include several countries (identified by 2-letter ISO codes). By far, the biggest offenders are RU (Russian Federation) and CN (Peoples' Republic of China)…plus several of their proxies around the world. There are several smaller offenders as well (e.g. Digital Ocean).

If you haven't implemented fail2ban(2), you should do it…now!

If the offending ISP is not in the US or Canada, save your breath. Even the big American ISPs (Comcast, Amazon, Microsoft, Google) will just send you a terse and content-free response with no follow up.

It's better to be proactive and protect yourself than to wait for someone else to do it for you! Unfortunately, this kind of activity is de rigeur in several regions of the world and no one (especially someone who's making money off it) is going to protect you!

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct