Here, we talk about what we do when we encounter network abuse directed at our service.
When we talk about network abuse, we're typically referring to incidents such as (D)DoS attacks, spam, and network intrusion attempts (including but not limited to bruteforcing, exploitation, and other intrusive activity).
The Courvix Network employs many automated systems to detect, alert, and protect against activity that is considered harmful to our network. While these systems are not perfect, we are confident enough in their ability to detect this activity that we find it reasonable to send abuse reports regarding it, with a high certainty that abusive activity has actually occurred. This is especially true when we report IP addresses that have been involved in (D)DoS attacks against us, where our monitoring software is able to detect spoofed floods with a 95% accuracy using multiple assessment parameters. We don't just rely on automated systems, however - we also do some manual verification to ensure that the conclusions made by our software were the correct ones.
Using due diligence, we do our best to ensure that we are not mistakenly sending abuse reports (for example, reporting IP addresses that were spoofed in DDoS attacks). We of all people know that junk/false abuse reports are a pain in the ass for everybody, and that is why we try our best to verify that our abuse reports are legitimate and aren't wasting anyone's time.
We make a distinction between attacks that are spoofed, versus attacks that are reflected. While both of these types of attacks require spoofing the IP header in a packet, how these attacks work are inherently distinct.
Typically, reflected attacks are attacks where the attacker sends spoofed packets that appear to come from the victim to a list of IP addresses known as “reflectors” - then, those reflectors respond to the source IP address in those packets, thus, the victim is bombarded by a massive DDoS. The distinction here is that the IP addresses seeming to be sending packets to the victim are actually actually real, whereas in a regular spoofed attack, the IP addresses seen are not involved- they just look like they are.
We do not send abuse reports to IP addresses involved in spoofed floods, but we may send reports for IP addresses involved in reflected floods. See things like DNS amplification, NTP amplification, and so on.
As someone who has the responsibility of handing abuse reports, your response is what determines whether our abuse report achieves anything or not, and whether this activity will continue and affect other people and organizations. At the very least, the customer on your network responsible for the abuse activity should be notified of our report. If something on their end has been compromised, they should be prompted to take any steps necessary to remove the compromise and ensure that their service can not continue to be used to harm other networks.