[anti-abuse-wg] Abuse Report ignored. What to do as next?

Just to give a feedback:

Yesterday I had complained about the said IP 80.94.95.181 also to RIPE NCC
via their WebMail contact page, which went to support at ripe.net
and opened a ticket: https://www.ripe.net/contact-form

Luckily the worst hacking attempts originating from these IPs
finally have stopped since today morning at around 08:25 :
80.94.95.181
45.129.14.106
They tried for many weeks.

They both belong to the same said company and have the same abuse contact:
% Abuse contact for '80.94.95.0 - 80.94.95.255' is 'internethosting-ltd at yandex.ru'
% Abuse contact for '45.129.14.0 - 45.129.14.255' is 
'internethosting-ltd at yandex.ru'

Currently the other mass hacking attacks are coming from
the following IPs, but an Abuse Report has not been filed yet,
still monitoring & collecting evidence:
141.98.11.68
141.98.11.82
185.162.235.225



U.Mutlu wrote on 11/01/23 19:44:
> Thank you for your interesting analysis.
>
> Is then RIPE not a "partner in crime" for such criminal companies?
> B/c it seems RIPE does not take any action against such evidently
> criminal members abusing the network and the other members and users.
> RIPE just says this ( https://www.ripe.net/support/abuse ):
> "
> ...
> At the RIPE NCC, we allocate blocks of IP addresses to ISPs and
> other organisations, but we have no involvement in how these
> addresses are used by their users.
> ...
> However, we can help you find out who is abusing your network
> by providing you with the relevant network operator contact details.
> Our role is to ensure that all abuse contacts are valid and
> up-to-date in the RIPE Database. From there, it is the
> responsibility of the network operator to handle your abuse report.
> There is nothing we can do if a network operator chooses not to reply.
> ...
> "
>
> IMO, RIPE very well can do some more, and needs to do some more...
>
>
>
> Natale Maria Bianchi wrote on 11/01/23 19:06:
>> On Wed, Nov 01, 2023 at 01:55:42PM +0100, John Levine wrote:
>>> It appears that ? ngel Gonzalez Berdasco via anti-abuse-wg
>>> <angel.gonzalez at incibe.es> said:
>>>>> Just block their network 80.94.95.0/24 and forget about it.
>>>
>>>> organisation:   ORG-BA1515-RIPE
>>>> org-name:       BtHoster LTD
>>>> country:        GB
>>>> org-type:       OTHER
>>>> address:        26, New Kent Road, London, SE1 6TJ, UNITED KINGDOM
>>>
>>> If you look at that address on Google stret view, you will see a late
>>> 2022 picture of a construction site.
>>>
>>> Unless you care enough to contact their transit providers and try
>>> and get them disconnected, I wouldn't waste more time on it.
>>
>> BtHoster is indeed a well known bulletproof hoster, and nothing good can be
>> expected also from the other two blocks announced by AS204428, 87.246.7.0/24
>> and 212.70.149.0/24 (4media.bg/4vendeta.com, who also have much cleaner
>> ranges directly behind their own AS50360).  BtHoster also has AS198465,
>> today announcing 45.129.14.0/24 and 77.90.185.0/24.
>>
>> Sending abuse reports to these places is - how to say? - a bit naive.
>> Abuse is their core business.  You can see for instance BtHoster's ad in
>> https://bitcointalk.org/index.php?topic=5407833.0 :
>>
>>     RDP FOR SCAN/BRUTE - PRICE 10 $ /MONTH
>>     WHM FOR PISHING WITH UNLIMITED DOMAIN LICENSE -PRICE 130 $ /MONTH
>>     RESELLER FOR  RDP WITH PANEL -PRICE 150 $ + IP /MONTH
>>     SERVER FOR SCAN/BRUTE 32 GB RAM -PRICE 130 $ /MONTH
>>
>> So the "ignoring" is fully expected, it is a feature of their hosting offer.
>> The best action is to completely prevent their packets from entering your
>> networks
>> through protection at the network edge.  This is precisely what our
>> DROP/EDROP/ASN-DROP
>> free datasets are for: block all packets on the edge router.
>>
>> Of course, like it or not, the people behind this are members of this
>> community, read these
>> lists, make posts, etc, and of course they would not be connected to the
>> Internet if there
>> weren't facilitating ISPs between them and backbones - in this case the
>> operators of
>> AS47890, AS202425 and the abovementioned AS50360.  These are also part of
>> the abuse
>> ecosystem.
>>
>> The two-layered approach is essential for the stability of their connectivity -
>> otherwise the backbones would just cut them off.  When pressure from
>> backbones becomes
>> excessive and the intermediary is forced to disconnect them, they change
>> intermediary
>> or they create a new company, get a new ASN and move the operation so that
>> reputation
>> restarts from zero. These patterns are very established, and cause a
>> considerable
>> ASN turnaround.  RIPE NCC apparently noted a high number of ASNs being
>> abandoned
>> [https://www.ripe.net/ripe/mail/archives/address-policy-wg/2023-June/013757.html]
>>
>> but does not seem to note the relation with abuse that should explain a
>> fraction
>> of them.
>>
>> Natale M Bianchi
>> Spamhaus Project