RE: Port scan reporting?

[David Cullen]

Hi Ben,

You can report the IP address to: http://www.dshield.org/

This site provides a complete IP address profile: http://www.hexillion.com/

As for reporting the IP address to the ISP: I have not heard directly from
any ISP, other than an auto-reply, that I contacted (even my own!).

Regards,
David

[EMAIL PROTECTED]

-Original Message-
From: Ben Schorr [mailto:[EMAIL PROTECTED]]
Sent: February 25, 2002 3:36 PM
To: '[EMAIL PROTECTED]'
Subject: Port scan reporting?


Our ISA server reported a number of attempted port scans of our server over
the weekend; no biggie, but the log files indicate the IP address they
supposedly came from.  Is there any agency I should be reporting these to or
is there any value in trying to report them to the ISP?

What's the "best practice" in this case, do I just ignore them?

Mahalo!

-Ben-
Ben M. Schorr, MVP-Outlook, CNA, MCPx3
Director of Information Services
Damon Key Leong Kupchak Hastert
http://www.hawaiilawyer.com <http://www.hawaiilawyer.com>

Re: Port scan reporting?

[Michael Lange]

- Original Message -
From: "Ben Schorr" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 25, 2002 9:35 PM
Subject: Port scan reporting?


> Our ISA server reported a number of attempted port scans of our server
over
> the weekend; no biggie, but the log files indicate the IP address they
Did you set it up on Friday ? I get syslog entry´s about portscans nearly
every hour. The IP´s are saved in a textfile and compared - if the scan
appears
more than one time or the host issues more complex actions it is
blocked in the firewall.
Most scans are started from dynamic IP´s, Therefore I request some
additional
infos from the hosts (  arp if possible ) and an nmap fingerprint :)
If it seems to be a qualified attack, you have to contact the net maintainer
of
the attackers isp ( usually [EMAIL PROTECTED] ) or your local cert
http://www.cert.org/ you may also take a look at http://www.dshield.org
might be possible that their clients are compatible with your
"I"´m "S"ecure "A"bit


> -Ben-
> Ben M. Schorr, MVP-Outlook, CNA, MCPx3
don´t bother too much
Michael

RE: Port scan reporting?

[John Allhiser]

Aloha Ben,

(I'm replying to you as well as the list because I just received this.)

Was it a targeted or complete scan? 

I usually send the documentation off to the ISP or IP registrant much as I would
an attempted relayer or spammer.  

I wouldn't expect a quick follow-up though  :)



-Original Message-
From: Ben Schorr [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 25, 2002 2:36 PM
To: '[EMAIL PROTECTED]'
Subject: Port scan reporting?


Our ISA server reported a number of attempted port scans of our server over
the weekend; no biggie, but the log files indicate the IP address they
supposedly came from.  Is there any agency I should be reporting these to or
is there any value in trying to report them to the ISP?

What's the "best practice" in this case, do I just ignore them?

Mahalo!

-Ben-
Ben M. Schorr, MVP-Outlook, CNA, MCPx3
Director of Information Services
Damon Key Leong Kupchak Hastert
http://www.hawaiilawyer.com <http://www.hawaiilawyer.com> 

Re: Port scan reporting?

[Matt Hemingway]

There's nothing illegal about it.  I would do a "whois" on Arin 
(http://www.arin.net) with that IP address, find and call whoever the ISP is 
and see if you can get them kicked or banned for abuse.

It's a long shot but worth a try.  Could be fun too!

-Matt

On Monday 25 February 2002 12:35, Ben Schorr wrote:
> Our ISA server reported a number of attempted port scans of our server over
> the weekend; no biggie, but the log files indicate the IP address they
> supposedly came from.  Is there any agency I should be reporting these to
> or is there any value in trying to report them to the ISP?
>
> What's the "best practice" in this case, do I just ignore them?
>
> Mahalo!
>
> -Ben-
> Ben M. Schorr, MVP-Outlook, CNA, MCPx3
> Director of Information Services
> Damon Key Leong Kupchak Hastert
> http://www.hawaiilawyer.com 

Port scan reporting?

[Ben Schorr]

Our ISA server reported a number of attempted port scans of our server over
the weekend; no biggie, but the log files indicate the IP address they
supposedly came from.  Is there any agency I should be reporting these to or
is there any value in trying to report them to the ISP?

What's the "best practice" in this case, do I just ignore them?

Mahalo!

-Ben-
Ben M. Schorr, MVP-Outlook, CNA, MCPx3
Director of Information Services
Damon Key Leong Kupchak Hastert
http://www.hawaiilawyer.com