[jwkerr]

This is very interesting to me, would most of these bots be running on servers that have already been compromised? If that's the case, is the Netherlands/Digital Ocean the most common combo as it's what most normal people use, or is there some other reason bots favour it?

[djkurlander]

Many/most of these are servers that have been compromised. DigitalOcean is certainly one of the biggest ISPs/providers; however, I’m betting that if you looked at ratio of knocks per ASN IPs registered, DigitalOcean would still be at the top. I’ll look into that.

Providers can shut down abusive IPs. I run a script every night to report attacks to abuseIPDB.com (included in the extras folder on the knock-knock GitHub repository). Some providers just don’t care.

[6031769]

> Some providers just don’t care.

And they should be shunned by everyone. We should all be naming and shaming such providers and those of us with any conscience at all will avoid using them. This is the only way to stop the tsunami of bad actors.

[h33t-l4x0r]

Or you could just choose a strong password / disable password auth? Why would DO side with anonymous abuse reporters over their customers?

[djkurlander]

Though strong passwords or preferably ssh keys are important, there will always be servers with weak passwords.

And DO doesn’t have to side with individual abuse reporters. If they cared, they could spend a fraction of an hour setting up the knock-knock software on one of their own servers, and generate their own list of abusive IPs. They just don’t care.

[uyzstvqs]

Is this hosted on DigitalOcean, say in The Netherlands? Could it be that spam traffic within the same datacenter bypasses their detection?

[djkurlander]

No, knock-knock.net is not hosted on DigitalOcean, and all 4 of my other knock-knock servers, using different providers, and distributed geographically currently have DigitalOcean as the worst offending provider.