I get a ton of ssh attacks, port scans, voip attacks, etc, from other Digital Ocean IPs. Some even originate from the same /24s that I am on. Is it worth trying to report them?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×I have sent you dozens of reports from you and it has been 100% useless.
I receive daily several spam messages from Digitalocean IPs.
Their spam contains the link UNSUBSCRIBED but clicking it causes more spam mail.
Filtering is almost impossible due to several IP addresses.
Also today I received three spam Norwegian, that is language what I don’t understand..
In addition, two spam in Finnish.
It also amazes you that you are a sponsor of abuseipdb.com
I have been reported there hundreds of spam emails.
I have service through mxguarddog.com but their trap does not filter all of them..
I can’t send them a header of spam because my server prevents spamming.
Should I have an email account on your server so I can send a spam email header to mxguearddog.com? Because you allow sending of spam…
The thing is that DigitalOcean don’t care at all about spam etc.
I’m really annoyed..
Edit:
Now I have send 6 pieces of spams headers trough following link https://www.digitalocean.com/company/contact/#abuse
-Pete
Hey friend!
I can answer that question well, and I can also leverage common outside perspective on the issue. We take abuse reports very seriously, and we have humans reviewing every single one of them. We take a heavy hand to intentional abuse, and a firm but forgiving hand to unintentional abuse (compromised servers from legitimate customers performing outbound attacks, for example).
With that said, many people do feel that we do not take abuse reports seriously, and I want to get ahead of that by outlining some of the reasons:
The reasons for these are not easily seen from the outside. Customer privacy, for example, would prevent us from sharing our communications with the customer about what they’ve done to prevent outbound abuse from a server that was not intentionally created to do that (but had been compromised due to vulnerable software). Shutting down abuse can also be a complex task, often involving more than one account or user, and sometimes we need multiple reports to identify the common variables of a trend. Finally, we do look out for our customers and try to give them the benefit of the doubt when we are able to do so, which means that we will not let an abuse complaint be used as an avenue for shutting down a customer simply because someone wanted them to be shut down. We review each case and make a decision based on it’s individual context.
I hope that helps to explain our take on abuse complaints. Please do send them in here:
https://www.digitalocean.com/company/contact/#abuse
Kind Regards,
Jarland
I don’t think “privacy” is a valid reason to not reply to customers and/or people being attacked by your network. I understand your team must get a lot of reports, but considering the alternative(blocking your ASN/network) it’s pretty damn rude.
You say that you do not reply back or anything like that, but after you put in an abuse report you reply with this:
Thank you! Someone from our team will followup with you shortly.
pffftttt-Thank you for your submission. A member of the Security Operations Center team will review the details as soon as possible. If appropriate, the information will be forwarded to the associated customer in its entirety.
As we are an unmanaged cloud hosting provider, we do not create, administer, or have direct access to our customers’ Droplets. This means that we cannot make direct changes to any programs or websites hosted there.
Additionally, our internal policies do not allow us to share information about the customer with third parties without a signed US court order compelling us to do so.
Regards,
Security Operations Center
DigitalOcean Support
It happens and it will keep happening because DO is used by a lot of people and a big part of them use the vms for tests and as such don’t care all that much about security(more about convenience ie they are using password authentication, ssh on port 22 and simple passwords like let’s say the ip’s hostname+the year the vm was created) or they simply aren’t aware(yet) of the steps they need to take to secure a VM. An attacker then will scan for these well'known vulnerabilities and ofc because DO has so many customers and thousands of VMs are created and recreated daily, the attacker will get access to multiple VMs on a daily basis. Even if you record the same/a different attack from the ip you already reported, all it means is that the ip now belongs to another customer that failed to properly secure the VM.
Question
I get all kinds of abuse from digital ocean and do sometimes get an automated reply like “a staff member has reviewed the report”. However, its clear 99% of the time digital ocean does nothing. Let me give you an example:
A few days ago I reported 104.131.45.150 for SSH abuse and got an email back saying staff had reviewed the report. I was quite pleased with that, but then I checked the IP on AbuseIPDB and noticed that the IP was still actively hacking.