[ziddoap]

This type of issue can be incredibly annoying to deal with, because the legitimate answer to the abuse report ("someone is spoofing my IP, it isn't me, and the machine is not compromised") is the exact same excuse that a malicious actor would provide.

Then, as noted in the article, you're trying to prove a negative to someone who doesn't really care at all, which is borderline impossible.

[toast0]

Hertzner says in the email that no response is necessary.

Automated abuse reports of things that are easily spoofed don't justify a report, but might justify a quick check to make sure your box is still operating correctly and hasn't been taken over.

[ziddoap]

>but we do expect you to check it and to resolve any potential issues.

That's the important part.

If they receive another one (or two, or a few) more abuse reports, they assume it is not fixed, and will expect a response then. Which ends up being annoying.

[iforgotpassword]

Well they are hetzner, they should understand the issue. I don't know if they would go through the hassle to verify by themselves by running a capture on a router leading to your server though... I had a similar problem a good decade ago. Was running a game server for a while, and as it is with competitive games, some people get really angry when they lose. At some point I got DDoSed by a udp reflection attack, and as if that wasn't annoying enough, I got relayed an abuse complaint from a Brazilian ISP who claimed I was DoSing one of the servers in his network, which was in reality one of the zombies getting hit by the spoofed packets containing my server's address as the source. I tried to explain to them twice how this works, linked them two different articles about it, told them to look at the traffic to and from this server so that they would be able to verify the server is actually sending much more traffic in my direction, but no dice, they just sent and even angrier mail to hetzner. I quickly contacted hetzner after that incident telling them the story and they said it's fine and apparently fully understood the issue, which really shouldn't be surprising for an ISP, but the previous exchange with the other ISP made me question my sanity a bit.

[IggleSniggle]

This kinda thing is so rough, and I can really relate to the questioning of your own sanity part when everyone around you is insisting something works in a particular way that is just factually incorrect.

I got hired into a pretty old small technology company that has over a decade of tech debt, and "how the whole system works" is different depending on which engineer you're talking to. You have to do a context shift to a different engineering reality just to do basic improvements to the system. Lots and lots of built up confusion over years of incremental changes, some of which under pressure no doubt, some well intentioned half-refactors, some almost dead code...imagine your well established corporate morass and then give it a shoestring budget.

It's scrappy in its own way, but the threads where people advocate "don't worry about the tech debt, if the company succeeds they will have the budget to fix it" don't account for the middle ground of not having huge success but having enough success to continue indefinitely. I guess that could mean you could fix the problem over longer time spans, but people do t stay at orgs like this long enough for that to happen, because the job of fixing it is no fun and you can't just throw huge amounts of money at the problem.

[immibis]

It's the converse - since they are Hetzner, I'd expect them to have an automatic system to delete servers if 2-3 abuse reports are received...

[dataflow]

> the legitimate answer to the abuse report ("someone is spoofing my IP, it isn't me, and the machine is not compromised") is the exact same excuse that a malicious actor would provide.

The legitimate answer would include some sort of real-world attestation about you from a trusted third party. Probably the very least, some evidence of your identity and jurisdiction. Maybe including a video call or something. Not just you anonymously claiming you're a good guy over the internet and expecting to be believed.

[preciousoo]

Hetzner (if they keep logs) should be able to verify if a user has been sending arbitrary packets out on port 22 very trivially

[Ardren]

Just what type of logs do you expect Hetzner to keep?

[ale42]

Netflow data or equivalent? I'd assume any provider to have such records, at least in the short term. It can also be invaluable in debugging network problems post-hoc.

[matrix2003]

Splunk logs of traffic. It’s pretty common at the corporate level.

[preciousoo]

At minimum? In/outbound traffic

[qiqitori]

Cause that's probably just a TB of logs per short unit of time.

[bornfreddy]

Not the traffic itself, just metadata (i.e. netflow).

[ozozozd]

Why?

If there is technology and established protocols to prevent spoofing, but some ISPs refuse to follow these protocols, why should it be your burden to prove it wasn’t you?

Is it reasonable to allow people to get credit cards with your SSN, when it’s physically possible to confirm their identity when they present your SSN, but the bank is too lazy to do it, and we put it on you to show up and cancel the credit cards? And of course present 3rd party attestation that it wasn’t you who did this. Maybe even bring an alibi?

I hope I misunderstood your comment.

[tmcdos]

Some ISPs (often those of the "last-mile") allow outgoing packets whose source IP does not belong to their subnet. They have no rules in IPtables preventing packets that do not belong to the given subnet assigned to end customers. This is how spoofed packets enter Internet most of the time. The ISPs on upper tiers can not use such filters (even if they want to) because their networks are not strictly hierarchical like the networks of the "last-mile" ISPs and such filters will simply break the connectivity. The only way to significantly reduce spoofed packets is if all "last-mile" ISPs implement proper filtration.

[ziddoap]

>The legitimate answer would include some sort of real-world attestation about you from a trusted third party.

It's annoying to find someone (or some service) that is willing to attest on your behalf and have that person (or service) be trusted by your provider more than whoever filed the abuse complaint.

>Maybe including a video call or something.

It's annoying to find someone at your provider who will take the time to do this. It's annoying to take my time to have to do this.

My point, overall, was that this is just a really annoying problem.

[hiatus]

> It's annoying to find someone (or some service) that is willing to attest on your behalf and have that person (or service) be trusted by your provider more than whoever filed the abuse complaint.

Isn't this precisely the role filled by notaries?

[ziddoap]

I can rephrase it for you.

It's annoying to find a notary and pay for their services to attest that I'm not doing something.

[8338550bff96]

Yeah, let's just have everyone hosting TOR nodes out themselves and their friends to local authorities...

Nice try Winnie Poo

[dataflow]

Damn, well you definitely foiled my plan there.

[shadowgovt]

So it turns out at the network service level, anonymity has never been guaranteed. If I, as another chunk of the network, can't trust your chunk, it's going to get cut from accessing me.

There has to be some ability to establish baseline trust.

[8338550bff96]

Is this something that is necessarily true or true due to policy decisions or tech debt?

Honest question as someone that is definitely not a networking expert.

[shadowgovt]

It's true due to the nature of what the network is.

In the abstract: if I own the infrastructure and someone uses that infrastructure to hurt someone, that someone who was hurt (or the parties who protect them) are going to come to me asking questions. If I just say "I don't know" and the law doesn't protect my willful ignorance, I'm at best enabling harm; I'm at worst socially or legally liable for negligence.

In the abstract, the systems of human governance recognize harm and seek to mitigate it.

So if I'm peered to a network using me as a bridge to do harm, I can't trust that network when the bad starts to outweigh the good. If I can't establish trust via human methods, I'm gonna cut that network off to protect myself.

(The Internet started as people who had working relationships with each other and grew out from there. Even though the web of connections is much larger and more indirect now, the whole thing is still at its core a human construct and beholden to human standards of conduct, because humans ultimately have their hands on the various plugs that are yankable).

[cuu508]

OK, but in this specific example, what would you do in the shoes of Hetzner?

My understanding of the situation is, somebody in Network A is sending spoofed traffic to Network B. Hetzner receives abuse reports from Network B.

Should Hetzner either establish trust or cut off: Network A, Network B, or their customer?

Hetzner has or should have means to verify that their customer is not the one making port 22 requests. They are not the attacker. Network B is reporting the issue, they are also not the attacker. And Hetzner cannot identify Network A, at least not without Network B's cooperation. And even if Hetzner does identify and cut off Network A, the problem remains – Network A can still send spoofed traffic to Network B.