-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Chris J [mailto:cej [at] nightwolf.org.uk] > Sent: 07 May 2003 17:08 > To: shef-lug [at] list.sheflug.org.uk > Subject: Re: [Sheflug] Security : Port scanning > > > > The whois may not help if you're just looking up the IP -- if it's > a virtual ISP who lease modems from another company, all it > could tell you is > who owns the modems. You need to do a reverse DNS lookup > first, and do a > whois against the domain. Any decent ISP will have an "abuse" > mailbox set > up for you to then email. > > If a DNS check doesn't get anywhere, and the whois on the IP > just returns > the carrier's details, then email them. They'll usually have > a dim view on > their bandwidth being used by a single customer of one of > their clients ... > and usually they'll have more clout ("do this or we'll sever > your upstream" > sort of thing). Seeing as you're using IPCop, have you got intrustion detection switched on? That lists the types of attacks you're being subjected to as it analyses the attack, so it will tell you about CodeRed, general IIS attacks, and one which I spotted today for the first time: "WEB-MISC whisker HEAD with large datagram". Heavens only knows what that one is :-) If you use the IP Address lookups on IPCop (by clicking on the IP address links on the log displays), beware that, certainly on v1.2.0, they don't query the RIPE database, so for European addresses, you may have to do an additional lookup. I've found that my ISP (Plusnet) are generally quite good at following up on reported scans from their customers (but that may be something to do with us being corporate customers!). - -- David -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPrlclnKr1pTNQbC4EQITqACeI7g5ziGFvLJqleRmpU7pgApGKUEAoMpd 4ouTPgq58E9hEr6Xi63UqRH7 =4pzN -----END PGP SIGNATURE-----
Attachment:
PGPexch.htm.asc
Description: PGPexch.htm.asc