The attacker manipulates the source IP address to make it appear as if your server is engaging in malicious activity, triggering third-party intrusion detection systems to generate complaints against your server.



The victim's server is not directly attacked; rather, the attacker uses your server to generate traffic resembling a DDoS attack. As a result, the hosting provider may perceive your server as being engaged in malicious activity, potentially resulting in a ban. This was the case for one user who received a letter claiming that their server was participating in a SYN flood, although no evidence of such an attack was found on the server.

The user eventually discovered that the attacker was sending RST packets from various servers, making it appear as if the user's server was initiating connections with these servers. Only fake requests generated by the attacker reached the victim's server.

DNS amplification attacks are commonly used to exhaust a server's channel by sending small requests that result in large, unwanted responses. However, in the case of the author, the attacker's goal was not to exhaust the victim's server channel, but rather to provoke automatic notification systems regarding network attacks. The attacker knew which servers had Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) and sent the minimum number of packets required to trigger an automatic complaint to the abuse address of the provider's subnet specified on whois. The attack did not require a large channel, making it difficult to detect.

The only difficulty for attackers is finding a server that allows spoofing of outgoing IP addresses in packets. Most reputable hosting providers block such packets, leaving cybercriminals with two options: poorly configured servers or hosting services designed for cybercrime. To check if their hosting provider allows for changing outgoing IPs, users can use two servers - one for receiving and one for sending traffic.

After receiving complaints from legitimate companies, the author detailed everything to the hoster, explaining that their IP address was being spoofed and that incoming connections were only in SYN_RECV state because the attacker could send only one packet using a spoofed IP, preventing TCP-handshake. Despite the evidence provided, the technical support team demanded the author to check their server with an antivirus or reinstall the operating system before banning them a day later.

The topic raises concerns about hosting providers being misled by fake complaints through letters rather than fake packets reaching the target server. It is frustrating that these fake complaints are so easy to provoke and may result in a user being banned. While the issue of IP spoofing responsibility is not under discussion, it can lead to compensation payments if automation tools lead to wrong conclusions and violate service agreements.

In essence, hosting providers need to find a way to distinguish between genuine and fake complaints, or risk violating their own service agreements by disconnecting users without substance. Furthermore, the issue of IP spoofing is a growing concern and should be addressed to better protect both legitimate users and providers.

The author experienced a similar situation where competitors found out about their project and launched a spam mailing list that mentioned the domain name and substituted it in the "from" address. Due to this, mail servers marked their mails as spam even before the project launch, forcing them to change the name. To prevent such situations, configuring SPF, DKIM, and DMARC records in DNS immediately after registering the domain name is necessary.

It could also be possible that competitors were not behind the spam. Instead, someone's spam bot may have found the domain suitable and used it for spamming. This emphasizes the importance of protecting domain names and taking necessary measures to safeguard digital assets from various types of cyber attacks.

The use of IP address spoofing and manipulation of RST packets to create a false impression of connections being initiated from the user's server is a clear example of how attackers exploit vulnerabilities in network protocols.
From the perspective of the hosting provider, it is crucial to implement robust intrusion detection and prevention systems to detect and mitigate such attacks. Additionally, monitoring for unusual patterns of traffic and understanding the behavior of legitimate connections can help in identifying and mitigating IP address spoofing attempts.

Furthermore, in this case, it is vital for the hosting provider's technical support team to have a deep understanding of network security and attack patterns. Rather than immediately resorting to banning the user's server, it is important for the technical support team to conduct a thorough investigation, collaborate with the user to understand the nature of the attack, and provide guidance on mitigating such threats.

For users, maintaining open communication with their hosting provider is crucial, and they should be proactive in implementing security measures such as regularly updating their server's configurations and monitoring for any suspicious activities. Additionally, users should be aware of the potential risks associated with IP address spoofing and be prepared to provide detailed evidence to their hosting provider in case of such attacks.

The battle against sophisticated network attacks, such as IP address spoofing, requires a collaborative effort between hosting providers and their users. It is essential for hosting providers to continuously update their security protocols, educate their clients about the potential risks, and work closely with them to ensure the safety and integrity of their servers.