top | item 47026918

(no title)

jwkerr | 15 days ago

This is very interesting to me, would most of these bots be running on servers that have already been compromised? If that's the case, is the Netherlands/Digital Ocean the most common combo as it's what most normal people use, or is there some other reason bots favour it?

discuss

djkurlander|15 days ago

Many/most of these are servers that have been compromised. DigitalOcean is certainly one of the biggest ISPs/providers; however, I’m betting that if you looked at ratio of knocks per ASN IPs registered, DigitalOcean would still be at the top. I’ll look into that.

Providers can shut down abusive IPs. I run a script every night to report attacks to abuseIPDB.com (included in the extras folder on the knock-knock GitHub repository). Some providers just don’t care.

6031769|15 days ago

> Some providers just don’t care.

And they should be shunned by everyone. We should all be naming and shaming such providers and those of us with any conscience at all will avoid using them. This is the only way to stop the tsunami of bad actors.

uyzstvqs|15 days ago

Is this hosted on DigitalOcean, say in The Netherlands? Could it be that spam traffic within the same datacenter bypasses their detection?