Discover useful tips on how to mitigate IP address abuse if you are a hosting company, ISP or email marketing service provider.
Tips for hosting providers and ISPs
Internet service providers (ISPs) and hosting companies are at a higher risk of facing various types of IP address abuse, including DDos, SQL injection, DNS amplification and DNS spoofing/poisoning attacks or fraudulent automatic sign-ups.
DDos attacks and SQL injection
DDos attacks, SQL injection and other threats alike can cause serious headaches for hosting providers. How to mitigate this? We suggest not only monitoring your entire infrastructure but also employing cloud-based tools, such as web application firewalls (WAF), and DDoS protection/mitigation services to protect networks and infrastructure from malicious traffic.
Some of the notable vendors of WAF solutions include Cloudflare/AWS, Barracuda, Imperva, Akamai and Fortinet.
DNS amplification and DNS spoofing/poisoning attacks
Another potential risk vector regarding IP address abuse are DNS amplification and DNS spoofing/poisoning attacks. Fortunately, mitigation is possible, and the simplest thing you can do is limit the IP addresses that the server performs recursive DNS lookups for.
Some providers may also consider disabling RPCbind services, since portmappers have been known to be used in DDoS attacks as well.
SSH abuse
For hosting providers, SSH protocol services are another risk vector that must be covered to avoid service abuse of the hosting provider as well as prevent malicious actions affecting the wider internet community. For SSH to work, the SSH daemon must be exposed online. Unfortunately, that can attract bots and bad actors knocking on your server’s door with repeated brute-force attacks.
Fail2ban is an open-source tool that hosting companies often use to mitigate this risk.
Fraudulent automatic sign-ups
Fraudulent automatic sign-ups can also affect hosting providers. This means that auto-generated sign-ups with the use of scripts and bots can introduce bad actors to your service and enable them to generate phishing websites and host illegal material (e.g., CSAM, unlicensed copyrighted artworks, malware) to exploit regular internet users.
We recommend using these Spamhaus guidelines to learn how to battle fraudulent sign-ups.
We also highly recommend subscribing to third-party threat intelligence feeds (either free or paid, or both) to stay on top of threats and issues as soon as they emerge. Also, it is a good idea to subscribe to spam intelligence feeds such as Spamcop, SNDS, and other FBL reports.
Tips for email marketing service providers
If your service or clients are sending mail, be sure to properly warm up IP addresses before launching marketing campaigns. Alternatively, opt for using reliable email marketing tools such as Sendgrid or Mailchimp. Also, always follow the M3AAWG and Spamhaus guidelines for good mailing practices.
It is also crucial to monitor your infrastructure for malicious email traffic (e.g., spam, phishing/fraud emails) and implement the best practices of SPF, DKIM and DMARC configuration.
Additionally, get in the habit of periodically scanning rDNS/PTR records for suspicious configurations. These include the use of cheap auto-generated domain names and non-matching forward/reverse DNS.
Overall, to reduce the chances of bad actors/spammers settling down within your service, vigilance is crucial. Spammers often rotate IP ranges and mailing/marketing providers. So, make sure you observe and verify your client base using fine-tuned KYC processes. Also, use Spamhaus’ ROKSO list and set strict Terms of Service and Acceptable Use Policies in place. Finally, subscribe to Spamcop, SNDS and other FBL reports.
If you suspect IP address abuse, or if you need more thorough guidance and support in improving you security profile, please reach out via IPXO Helpdesk. We offer services to help customers assess their risk areas and minimize abuse incidents.