Hackers making users look like cybercriminals: dev gets bombarded with abuse complaints


Late at night, your mailbox starts filling with alerts about a potential security issue – your server seems to be connecting to various machines on the internet and you need to resolve “any potential issues” fast. But there are no issues – your IP is spoofed by an external attacker with unclear motives.

That's what happened to Pierre Bourdon, an open-source developer and infosec enthusiast better known as ‘delroth.’

A scary email from the hosting provider made him think his server had been compromised. The server appeared to be “suddenly deciding to start sending SSH (port 22) connections to the wider internet.”

ADVERTISEMENT

“This is usually a pretty strong indicator of malware compromise, and I had to act quickly if that was the case,” delroth writes in his blog.

He spent “an hour or two” and found no evidence of anything out of the ordinary. “No odd process, no filesystem modifications, no odd network traffic.” There were no connections to port 22 coming out of the server.

Finally, he discovered traffic originating from other servers to his machine – multiple servers were sending TCP reset packets.

These aren't normal connection attempts. Delroth’s server never made these – someone spoofed his IP address. It could be compared to receiving return-to-sender letters you never sent.

“Turns out, it’s pretty trivial to send packets to various destinations on the internet with a fake source IP address.”

Delroth warns that with a large enough volume, the spoofed IP address can quickly become widely blacklisted by many internet entities. The hosting provider can take action due to many abuse reports and even shut down the ‘compromised’ or ‘malicious’ server.

“While ingenious, nothing in there seems particularly difficult to do for a single motivated attacker. You, too, can probably make your friend’s hosting provider (with their consent, of course) shut down their server and cancel their hosting contract by getting them flooded with well-meaning but confused abuse complaints,” delroth writes.

The developer went into detail, explaining how the IP can be spoofed on the internet. While ISPs should filter the spoofed packets and adhere to Best Current Practice (BCP) 38, released in 2000, some don’t. Spoofed packets can only be filtered out early in their route.

ADVERTISEMENT

“If you just find one transit provider which doesn’t do BCP38 filtering… you can send IP packets tagged with any source IP you want!“

A malicious attacker can exploit this by sending TCP connection requests to port 22 on many random internet machines or even deliberately selecting known honeypots to flood the target with automated abuse complaints.

What could be the motive?

The targeted server was running a TOR relay node, and delroth speculates that this may be the reason why his server was targeted.

“Tor has one peculiarity: there are actors on the internet that don’t like it,” delroth said. “Said people range from ‘individual hacktivists’ to ‘police forces’ to ‘government agencies,’ with various levels of sophistication and differing techniques.”

The researcher checked his other relay nodes in different countries, and he found the “same spoofed TCP SYN pattern.”

“Could someone be deliberately trying to induce abuse complaints on Tor network participants to take down parts of the network (or disincetivize running internal nodes, which are key for the network’s health)?”

It makes little sense to probe servers with someone else’s IP, as the attacker will not get the responses. The other traits of the attack were that the traffic volume seemed “too low” while the duration “of the weirdness too long.”

The researcher also discovered that some servers have already been taken down following abuse complaints about port scanning.

Ernestas Naprys Gintaras Radauskas jurgita Niamh Ancell BW
Don’t miss our latest stories on Google News
ADVERTISEMENT

The old unsolved problem

According to a discussion on the Hacker News forum, spoofing IP addresses has remained a problem for decades.

“This type of issue can be incredibly annoying to deal with because the legitimate answer to the abuse report (‘someone is spoofing my IP, it isn't me, and the machine is not compromised’) is the exact same excuse that a malicious actor would provide,” one user compared.

“Same with spoofed MAC addresses, email addresses, ARP messages, Neighbor Discovery, MitM TLS certificates,” another user added.

Some developers acknowledged that spoofing IPs is common problem and they often receive TCP packets even from popular services, such as Steam, Roblox, or Facebook. Some attackers exploit it to hide their identity when launching DDoS attacks, as tracing the packets back to the true source becomes very hard, as it requires coordination between different network providers.