Page MenuHomePhabricator

'German Wikipedia Broken Weblinks Bot' is ill-behaved and in danger of getting all of Labs blacklisted
Closed, ResolvedPublic

Description

I'm getting abuse reports from bitninja

https://bitninja.io/incidentReport.php?details=91e8f63378053f36c6&utm_source=incident_report&utm_medium=e-mail&utm_campaign=Incident%20report

When I wrote to protest, they responded:

Date: 2016-05-26 09:00:45
Attacker ip: 208.80.155.255

tcp 0 0 212.1.215.234:80 208.80.155.255:53738 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53779 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53800 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53764 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53795 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53823 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53750 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53811 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53832 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53830 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53799 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53753 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53831 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53807 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53816 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53826 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53809 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53748 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53815 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53824 ESTABLISHED
..90 more lines.
]

Event Timeline

Andrew created this task.Jun 2 2016, 2:22 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJun 2 2016, 2:22 PM
Reedy added a subscriber: Reedy.Jun 2 2016, 2:29 PM

Um. If they're connecting on port 80, how is that running a port scanner?

Looking at the links, it's just "German Wikipedia Broken Weblinks Bot" making a LOT of requests

Restricted Application added a project: Operations. · View Herald TranscriptJun 2 2016, 2:30 PM
Andrew added a comment.Jun 2 2016, 2:44 PM

@Reedy, you're right, I was briefly confusing the src and dst ports. I'll rename

Andrew renamed this task from Someone seems to be running a port scanner in labs to bitninja upset about us running a crawler.Jun 2 2016, 2:44 PM
Andrew renamed this task from bitninja upset about us running a crawler to 'German Wikipedia Broken Weblinks Bot' is ill-behaved and in danger of getting all of Labs blacklisted.Jun 2 2016, 5:15 PM

The report only contains alerts of the kind:
"A visitor reached our honeynet and sent a request despite the fact that we presented a captcha with detailed explanations why he/she needs to fill out the captcha". That's hardly a sign of a compromised host as they claim in their alert mail...

scfc added a subscriber: scfc.Jun 2 2016, 5:35 PM

Maybe I'm missing something, but the link (https://bitninja.io/incidentReport.php?details=91e8f63378053f36c6&utm_source=incident_report&utm_medium=e-mail&utm_campaign=Incident%20report) shows requests to a lot of different domains with delays of seconds to hours between requests. Where are the "malicious packets"?

chasemp added a subscriber: chasemp.Jun 2 2016, 5:38 PM

It's hard for me to take the BitNinja reports seriously. Previously, it is my understanding, they have reported other mostly innocuous behavior as hostile. I have trouble interpreting 373 web requests over 8 days as some kind of attack. If I understand their report.

Varients of

tcp 0 0 212.1.215.234:80 208.80.155.255:53738 ESTABLISHED
tcp 0 0 212.1.215.234:80 208.80.155.255:53779 ESTABLISHED

are hardly any kind of indicator. I don't at all feel flippant about the idea of something in labs being a bad netizen, but I find these reporters to be silly thus far. I can't help but feel that every up tick on their homepage https://bitninja.io/ is some source IP making a valid web request that they have decided is suspect for vague reasons.

@Giftpflanze: Die reden wohl von unserem Bot?!

@doctaxon apparently they do, but it seems the claim is unsubstantiated

I've replied to them requesting to whitelist the captcha warnings. Will update the Phab task as needed.

Andrew closed this task as Resolved.Jun 6 2016, 4:28 PM

Update: the bitninja people seem to be wrong about everything. I'm closing this bug for now, but will continue to try to engage them when they email.

FTR, I received the same vague reply as Andrew, seems mostly auto-generated...