back to article Who needs foreign servers? Researchers say the USA is doing a fine job of harboring its own crimeware flingers

A collection of servers found in the US are responsible for some of the nation's biggest malware and phishing attacks. This according to a report from security company Bromium, which said just over a dozen servers are being used to spread 10 of the major malware and phishing campaigns spreading around the internet at the …

  1. Anonymous Coward
    Anonymous Coward

    This is not exactly news

    Even just monitoring the 404 logs of a small website will tell you that a substantial number of scripted attacks come from the US, so I'm not surprised.

    In addition, all it takes is someone hiring a web platform and using it as their private proxy, or use a VPN.

    I just wish I had a list of all hosting provider IP addresses (especially OVH), because I'd block them all. There are no genuine users to be found on hosted servers, so they will clearly not be an audience. Furthermore, in some 20 years of running websites, I have as yet to see a single visit from a Tor node that wasn't trying to breach the site, so you don't have to worry you exclude customers if you filter those out too.

    1. Alister Silver badge

      Re: This is not exactly news

      Yep, we routinely block all traffic from OVH and TOR IPs amongst others, there's very little legitimate traffic coming from them compared to the flood of intrusion attempts we see every day.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is not exactly news

        Agreed. very little legitimate traffic and 99% we've seen is from OVH, Idealhosting, China Mobile, Bunea the rest is thinly scattered.

      2. NonSSL-Login

        Re: This is not exactly news

        While I understand the reasons for blocking incoming datacentre traffic, it's quite annoying for VPN users but luckily only a few sites block by ASN or netblock. Saying that, I don't take down the VPN to access those few sites or create static routes so they just lose me as a visitor.

        Since the UK decided that every network connection will be logged for a year in the form of ICR's (Internet connection record) and that everyone and their dog (Scottish and Welsh ambulance service, local councils, food standards agency among others...) can access your viewing + whatever protocol usage, many now live behind a VPN to regain some sort of privacy from big brother. Now we have some admins punishing us for that.

        DRM and geofencing forced on media streaming providers means amazon now wont work if your IP resolves to a VPN provider name, despite the tv knowing it's proper location due to the tv signals its getting. Makes the service unusable so amazon loses a customer.

        Needs to be a better way to keep privacy without being blocked by overzealous blocking.

    2. Andrew Commons

      Re: This is not exactly news

      @AC

      The Centre for Applied Internet Data Analysis (caida) has a slightly dated list that might work for you.

      http://www.caida.org/data/as-classification/

      There are others and you can probably pay money for more current data.

    3. JimPoak

      Re: This is not exactly news

      As confirmation I was subedited to a mail attack from edu.us mail servers and tracked them down to vpn server in London. Then I too also blamed the Russians. Looks now that the Us extending the hands of friendship but I'd rather chop it off.

    4. Aitor 1 Silver badge

      Re: This is not exactly news

      OVH CAN be found out, and you can block them. I suggest you do it BTW, and block their ranges, among many others.

      1. doublelayer Silver badge

        Re: This is not exactly news

        Blocking Tor and providers of hosting services or VPS simply breaks your service for people trying to use those services for security or privacy reasons. For example, I have a VPN endpoint which goes to a provider of VPS services. I'm sure that there are malicious people renting space there as well, and I'm also sure that they would be taken down if they could be identified, because it has happened before. If you block my connection into your system, you will lose me as a customer. I need the VPN's services at various points. How would you suggest that I get a VPN operating that your oversimplified security policy won't block?

        1. Frozit

          Re: This is not exactly news

          The usage of TOR or VPS services from within my corporate network would be cause for termination.

        2. Alister Silver badge

          Re: This is not exactly news

          The overwhelming majority of traffic that we see from TOR exit nodes is malicious, and I wouldn't be doing my job properly if I just let it continue to fill up the logs, just on the off-chance that there might be the occasional legitimate user, so we block them.

          We don't, yet, block most VPS endpoints, but that's because the malicious traffic is quite low from them. If it increased to silly levels, I'd block them too.

          Don't misunderstand: we don't deliberately go and get a list of TOR exit nodes and pre-emptively block them all at once, but we run fail2ban, and other commercial IDP products, and we just regularly review the lists of blocked IPs, but it soon becomes apparent that a lot of them are TOR nodes.

          1. doublelayer Silver badge

            Re: This is not exactly news

            "The usage of TOR or VPS services from within my corporate network would be cause for termination."

            Inside a corporate network is where you don't need them. The corporate has the resources to create VPNs for the users that are not on the network, and there is no need for user privacy on corporate machines. If you read the posts that I replied to, they are discussing blocking access to public-facing services from large ranges of addresses because a hosting provider, which usually includes a VPS provider, is using them. Not because there is any active traffic coming from the entire range, but just because it could.

            They are not asking to do it properly, like another poster here suggested: "run fail2ban, and other commercial IDP products, and we just regularly review the lists of blocked IPs". They are suggesting that they simply obtain all the ranges that someone can buy and block them. I would like them to know that there is a reason for legitimate traffic to come from those, and also that if this is their cunning plan to quash security threats, it will be ineffective because an attack can come from any set of IPs.

            In practice, I care a lot less about blocking Tor than I do about blocking VPS systems. Tor is rarely used by legitimate users to access the standard internet except to circumvent censorship, and we can ensure that whatever systems are being accessed in that realm know not to block it. However, I don't want my traffic or system to be considered suspect just because I don't have my own IP address range.

    5. sitta_europea Bronze badge

      Re: This is not exactly news

      "I just wish I had a list of all hosting provider IP addresses (especially OVH), because I'd block them all."

      You can just use the ASN. I do.

      AS16276.

    6. Anonymous Coward
      Anonymous Coward

      Re: This is not exactly news

      Totally agree on all VPS hosting ranges, but Tor Exit nodes I tend to still leave open.

      Sure they do tend to the malicious end of the usage spectrum, but to me it's more of a principle to maintain availability via Tor.

      I've been in situations before where Tor is the only good option to do something, but am fundamentally unable to, due widesweeping blocks like that. Wasn't a happy camper, so I try to pay it forward.

  2. chivo243 Silver badge
    Facepalm

    security company Bromium

    Brahmuim, say it with me Brah...

    1. Roland6 Silver badge
      Pint

      Re: security company Bromium

      >Brahmuim, say it with me Brah...

      Okay Bro or is that Bra?

  3. Anonymous Coward
    Anonymous Coward

    Lots of foreign people host their stuff on Amazon and Azure in the US.

  4. Olivier2553 Silver badge

    It's always good to blame it on foreigners

    You save money: you cannot trial them so you do not have to worry about the huge expenses of conducting an investigation, a trial and maintaining jails for the wrongdoers.

    It is good politics to be able to name and shame an enemy.

    You can reinforce the idea of fear, see all those threats coming from outside, lets build a wall.

  5. imanidiot Silver badge
    Joke

    But.. but... bu.... The RUSSIANS!

    Lies, all fake news. It's all done by the Russians in a plot to overthrow the US government!

    1. Version 1.0 Silver badge

      Re: But.. but... bu.... The RUSSIANS!

      "The Rushings are inohcent - it's all fake mail from Hillery's server, lock me^H^Hher up @ The real Donald Trump"

  6. Anonymous Coward
    Anonymous Coward

    Off the top of my head...

    Cloudfront

    Namecheap

    GoogleUserContent

    PerfectPrivacy

    and yes, I have been seing more and more crap from "OVH" recently as others have mentioned.

    Ususually in obfuscated hex format on hijacked sites.

    (But they are served from France so not really part of this article)

    Not sure why this "research" doesn't name and shame?

    (Please add to this list)

    1. Anonymous Coward
      Anonymous Coward

      Re: Off the top of my head...

      I just had 3 hits in my 404s probing non-exiting links directly from an IP block allocated for Google.

      I think it's time to have a word with them. They don't have permission to do so, so WTF?

  7. Anonymous Coward
    Anonymous Coward

    Simple fact...

    Cybercriminals like to be near their victims. If your biggest market is in the US, why not host there? The fact that they have all this nice infrastructure to use means that it's really beneficial for them.

  8. Mark 85 Silver badge

    So apparently the servers are still up an running then? No mention of the datacenter being notified or law enforcement.

    1. sitta_europea Bronze badge

      @Mark 85

      "So apparently the servers are still up an running then? No mention of the datacenter being notified or law enforcement."

      And no mention of the provider's name?

      Shame on you, Register. They cannot possibly be ignorant of the abuse.

  9. mhenriday
    Thumb Down

    Unfair and beyond the pale !

    This article seems to suggest that the responsibility for all the disasters which have struck the United States may be due to forces in that country. But all we who read the newspapers know that, e g, it was those dastardly Russians who placed Mr Trump in the Oval Office, and those nefarious Chinese who have de-industrialised the United States ; the good people running that country had nothing whatever to do with it....

    Henri

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019