On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there?
It's a lot more likely that the person that scanned you is simply one of the ISP's customers. The ISP owns the IPs they assign to their customers' machines. If all the guy did was scan, then don't do anything unless he does it again or something. If there were any signs of an actual attack, like sending nastygrams to your web server or something, then you should contact his ISP and show them the log. (My philosophy is that portscanning is more or less innocent and curiosity driven, and so shouldn't be punished unless it causes a DoS or something. If you feel otherwise, you might want to show the logs you have to the scanner's ISP, with timestamp, so they can figure out who had that IP at that time. I think that would be going to more trouble than it's worth, though.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE