[dataflow]

> the legitimate answer to the abuse report ("someone is spoofing my IP, it isn't me, and the machine is not compromised") is the exact same excuse that a malicious actor would provide.

The legitimate answer would include some sort of real-world attestation about you from a trusted third party. Probably the very least, some evidence of your identity and jurisdiction. Maybe including a video call or something. Not just you anonymously claiming you're a good guy over the internet and expecting to be believed.

[preciousoo]

Hetzner (if they keep logs) should be able to verify if a user has been sending arbitrary packets out on port 22 very trivially

[Ardren]

Just what type of logs do you expect Hetzner to keep?

[ale42]

Netflow data or equivalent? I'd assume any provider to have such records, at least in the short term. It can also be invaluable in debugging network problems post-hoc.

[matrix2003]

Splunk logs of traffic. It’s pretty common at the corporate level.

[preciousoo]

At minimum? In/outbound traffic

[qiqitori]

Cause that's probably just a TB of logs per short unit of time.

[bornfreddy]

Not the traffic itself, just metadata (i.e. netflow).

[ozozozd]

Why?

If there is technology and established protocols to prevent spoofing, but some ISPs refuse to follow these protocols, why should it be your burden to prove it wasn’t you?

Is it reasonable to allow people to get credit cards with your SSN, when it’s physically possible to confirm their identity when they present your SSN, but the bank is too lazy to do it, and we put it on you to show up and cancel the credit cards? And of course present 3rd party attestation that it wasn’t you who did this. Maybe even bring an alibi?

I hope I misunderstood your comment.

[tmcdos]

Some ISPs (often those of the "last-mile") allow outgoing packets whose source IP does not belong to their subnet. They have no rules in IPtables preventing packets that do not belong to the given subnet assigned to end customers. This is how spoofed packets enter Internet most of the time. The ISPs on upper tiers can not use such filters (even if they want to) because their networks are not strictly hierarchical like the networks of the "last-mile" ISPs and such filters will simply break the connectivity. The only way to significantly reduce spoofed packets is if all "last-mile" ISPs implement proper filtration.

[ziddoap]

>The legitimate answer would include some sort of real-world attestation about you from a trusted third party.

It's annoying to find someone (or some service) that is willing to attest on your behalf and have that person (or service) be trusted by your provider more than whoever filed the abuse complaint.

>Maybe including a video call or something.

It's annoying to find someone at your provider who will take the time to do this. It's annoying to take my time to have to do this.

My point, overall, was that this is just a really annoying problem.

[hiatus]

> It's annoying to find someone (or some service) that is willing to attest on your behalf and have that person (or service) be trusted by your provider more than whoever filed the abuse complaint.

Isn't this precisely the role filled by notaries?

[ziddoap]

I can rephrase it for you.

It's annoying to find a notary and pay for their services to attest that I'm not doing something.

[8338550bff96]

Yeah, let's just have everyone hosting TOR nodes out themselves and their friends to local authorities...

Nice try Winnie Poo

[dataflow]

Damn, well you definitely foiled my plan there.

[shadowgovt]

So it turns out at the network service level, anonymity has never been guaranteed. If I, as another chunk of the network, can't trust your chunk, it's going to get cut from accessing me.

There has to be some ability to establish baseline trust.

[8338550bff96]

Is this something that is necessarily true or true due to policy decisions or tech debt?

Honest question as someone that is definitely not a networking expert.

[shadowgovt]

It's true due to the nature of what the network is.

In the abstract: if I own the infrastructure and someone uses that infrastructure to hurt someone, that someone who was hurt (or the parties who protect them) are going to come to me asking questions. If I just say "I don't know" and the law doesn't protect my willful ignorance, I'm at best enabling harm; I'm at worst socially or legally liable for negligence.

In the abstract, the systems of human governance recognize harm and seek to mitigate it.

So if I'm peered to a network using me as a bridge to do harm, I can't trust that network when the bad starts to outweigh the good. If I can't establish trust via human methods, I'm gonna cut that network off to protect myself.

(The Internet started as people who had working relationships with each other and grew out from there. Even though the web of connections is much larger and more indirect now, the whole thing is still at its core a human construct and beholden to human standards of conduct, because humans ultimately have their hands on the various plugs that are yankable).

[cuu508]

OK, but in this specific example, what would you do in the shoes of Hetzner?

My understanding of the situation is, somebody in Network A is sending spoofed traffic to Network B. Hetzner receives abuse reports from Network B.

Should Hetzner either establish trust or cut off: Network A, Network B, or their customer?

Hetzner has or should have means to verify that their customer is not the one making port 22 requests. They are not the attacker. Network B is reporting the issue, they are also not the attacker. And Hetzner cannot identify Network A, at least not without Network B's cooperation. And even if Hetzner does identify and cut off Network A, the problem remains – Network A can still send spoofed traffic to Network B.

[bornfreddy]

If they feel like it, they can reply to the abused party that they have misidentified the attacker (and why). It is up to the victim to then research further if they feel so inclined.