-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: Chris J [mailto:cej [at] nightwolf.org.uk]
> Sent: 07 May 2003 17:08
> To: shef-lug [at] list.sheflug.org.uk
> Subject: Re: [Sheflug] Security : Port scanning
>
>
>
> The whois may not help if you're just looking up the IP -- if it's
> a virtual ISP who lease modems from another company, all it
> could tell you is
> who owns the modems. You need to do a reverse DNS lookup
> first, and do a
> whois against the domain. Any decent ISP will have an "abuse"
> mailbox set
> up for you to then email.
>
> If a DNS check doesn't get anywhere, and the whois on the IP
> just returns
> the carrier's details, then email them. They'll usually have
> a dim view on
> their bandwidth being used by a single customer of one of
> their clients ...
> and usually they'll have more clout ("do this or we'll sever
> your upstream"
> sort of thing).
Seeing as you're using IPCop, have you got intrustion detection
switched on? That lists the types of attacks you're being subjected
to as it analyses the attack, so it will tell you about CodeRed,
general IIS attacks, and one which I spotted today for the first
time: "WEB-MISC whisker HEAD with large datagram". Heavens only knows
what that one is :-)
If you use the IP Address lookups on IPCop (by clicking on the IP
address links on the log displays), beware that, certainly on v1.2.0,
they don't query the RIPE database, so for European addresses, you
may have to do an additional lookup.
I've found that my ISP (Plusnet) are generally quite good at
following up on reported scans from their customers (but that may be
something to do with us being corporate customers!).
- --
David
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQA/AwUBPrlclnKr1pTNQbC4EQITqACeI7g5ziGFvLJqleRmpU7pgApGKUEAoMpd
4ouTPgq58E9hEr6Xi63UqRH7
=4pzN
-----END PGP SIGNATURE-----
Attachment:
PGPexch.htm.asc
Description: PGPexch.htm.asc