Abuse reporting based on whois

• Previous message: S H A N: "recommendation for NMS"
• Next in thread: Florian Weimer: "Re: Abuse reporting based on whois"
• Reply: Florian Weimer: "Re: Abuse reporting based on whois"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: "freebsd-isp@FreeBSD. ORG" <freebsd-isp@FreeBSD.ORG>
Date: Sat, 22 May 2004 11:39:00 -0400

My ipfilter firewall is blocking 35 to 150 un-solicited inbound
port packets per minute coming from all over the world. I have an
dynamic IP address assigned by my ISP, so I know the senders are
scanning an whole subnet range of IP address for the ports they are
interested in. I have to pay for this background packet noise in
bandwidth usage surcharges. I decided to research and try to build
an process to report this abuse to the ISP's who own the source IP
address that is scanning the whole subnet ranges of IP address I
belong to.

I pieced together an perl script from many other sources that reads
the ipfilter ipmon log creating an structured file with the source
and target ip address padded with zeros to sort the source ip
address into sequence, then I read the sorted file and do an whois
lookup on the source ip address and scan the whois output for an
abuse@ domain name building an email including the log records as
evidence and send it. This process only found abuse@ email address
for about 30% of the abusive port scan traffic being blocked.
Manually doing whois on some of the remainder, I see many different
reporting abuse email address. I guess abuse@ is not an standard
naming convention.

An I going about this the correct way, or is there some other way I
should be doing this?
Is whois ip addr the only way to find the owner of the ip address
block?

Do any of the readers of this list have an perl script that does
something like what I an trying to do, that they would share, or
exchange in return for receiving an copy of mine?

I have been down the www.dshield.comm path already and they do
nothing to report all the port targeted packet traffic.

Any comments sure would be helpful.

Thanks

_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

• Previous message: S H A N: "recommendation for NMS"
• Next in thread: Florian Weimer: "Re: Abuse reporting based on whois"
• Reply: Florian Weimer: "Re: Abuse reporting based on whois"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

• reporting port scaning abuse based on whois
  ... My ipfilter firewall is blocking 35 to 150 port scan packets per ...
  report this abuse to the ISP's who own the source IP address that is ... then I read the
  sorted file and do an whois ... (freebsd-questions)
• Re: Irritating DSL annoyance
  ... Your fw needs to _allow_ traffic in headed for its IP and port#. ... "Which
  whois _server_ are you ... you will get packets "directed" to your IP/ports. ...
  Even if it's just some "kids" playing around, ... (comp.os.linux.misc)
• PATCH: Remove file riowinif.h from rio driver (unused file)
  ... -/* The RUP (Remote Unit Port) structure relates to the Remote Terminal Adapters ...
  - CONFIG is sent from the driver to configure an already opened port. ... - Packet structure
  is same as OPEN. ... - of the specified port's RTA address space. ... (Linux-Kernel)
• Re: General questions about Sockets
  ... > could I push it before I see the network slowing down and/or errors? ...
  Nagle/Delayed ACK interaction but you could confirm it with a packet ... > I can setup
  any port in my registry, but what would be the 'default' one I ... Google could
  confirm it. ... (microsoft.public.win32.programmer.networks)
• RE: Strange replies on closed port
  ... port should be a RST - not dropping the packet. ... receiving an UDP datagram
  to a non 'listening' port. ... that message isn't generated by the end host, ...
  Connecting to a closed Port w/o Firewall: ... (Pen-Test)