Abuse Reports Still Work
by raphidae @ EFNet
Over the last couple of years, I have been hearing more and more stories about how filing abuse reports is a waste of time. It happens that I recently got the great idea to run a honeypot for DDoS traffic, which provided me with a ton of abuse reports to file.
Where most administrators of source networks are willing to help and will take action on abuse reports immediately, unfortunately, not all of them fall into that category. This is especially true when these networks are located in, let's say, Vietnam or Brazil. I have encountered over quota abuse mailboxes, "localhost" as network domain MX, up to a reply of "We do not care, f*ck off" in proper English.
For you who are victim of some kind of abuse and hit a brick wall with email, I have the following advice:
Use the phone. Calling the company on record for the IP block usually gets you someone on the phone, which makes it much more personal. It's easy to just trash an email, but it is somewhat more uncomfortable to ignore someone who will call again to bitch if no action is taken.
Even when the source network is in some smelly country, it is beneficial to call them. Some have receptionists that speak English. If not, it usually works if you just repeat "English! American!" in a loop. They will figure it out and transfer you to someone who speaks (some) English.
Once you get someone on the phone who can basically understand what you are saying, they will usually act on the problem. If not, or if you cannot reach anyone who has a clue:
If they can't be reached, or if the abuse is of such a magnitude that action must be taken immediately (weekends, nights), you should try going a level up the routing tree and try again there. The network one hop (or two hops) up will usually be a larger transit provider. These have trained, somewhat English-speaking, support personnel on staff 24/7, no matter what country. They can help you by communicating with their client in case of a language barrier or, for example, null-route the source subnet if the problem is large enough.
The reason I give this advice is because I have noticed that either people take no for an answer in case of abuse or do not know how to deal with this effectively. At the peak of my little project, my network took over 60 Gbit/s traffic, and the bulk came from rooted VPS and web servers on 100 MB and 1 GB connections. The owners of those servers are mostly oblivious and if nobody tells them they are a f*cking pest to the rest of the Internet, they will not magically disappear from it.
Just by reporting the abuse to the responsible parties and not giving up easily, I was able to cut the 60 Gbit/s back to a mere 5Gbit/s at the source. The remaining traffic was mostly low-bandwidth dial-up/DSL connections spread over a multitude of providers. My experience is that most admins of source networks have no idea, and too often I was the first they had heard of it. Whether that was because their email server was misconfigured, they didn't check the mailbox, their upstream didn't pass it on to them, etc. is irrelevant.
If I can get to them, someone else can as well. Better yet, if some other earlier poor victim of that source had not been lazy or had been more persistent, it would have not been there to attack my network later.
As part of the honeypot project, I've tracked various sources over time, and for sources greater than 80 Mbit/s, practically all were around for weeks until I finally contacted the responsible admin and they were shut down. This tells me that I am either really, really special to be attacked by them or the other victims did not report it or got no results. I'm betting the latter, which is unfortunate for everyone.
The basic point is that abuse reports do still work, and that it is better for everyone on the Internet to report all abuse and to pursue it until there is a result. Even an irritating but harmless UDP stream from two Indonesian hosts should be reported. Two is a nuisance, but two thousand is a f*cking problem and 2000 is merely a multiple of 2.
My experience for those who find it helpful.