Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 22 May 2004 14:33:42 -0400
From:      "fbsd_user" <fbsd_user@a1poweruser.com>
To:        "Florian Weimer" <fw@deneb.enyo.de>, <fbsd_user@a1poweruser.com>
Cc:        "freebsd-isp@FreeBSD. ORG" <freebsd-isp@FreeBSD.ORG>
Subject:   RE: Abuse reporting based on whois
Message-ID:  <MIEPLLIBMLEEABPDBIEGKEEBFPAA.fbsd_user@a1poweruser.com>
In-Reply-To: <87r7tctju3.fsf@deneb.enyo.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
If the source ips are spoofed, what purpose do they do other than
consume bandwidth.


I believe the senders are script kiddies probing for know ports that
backdoors, spyware or Trojans are know to use.


-----Original Message-----
From: Florian Weimer [mailto:fw@deneb.enyo.de]
Sent: Saturday, May 22, 2004 2:09 PM
To: fbsd_user@a1poweruser.com
Cc: freebsd-isp@FreeBSD. ORG
Subject: Re: Abuse reporting based on whois

* fbsd user:

> My ipfilter firewall is blocking  35 to 150 un-solicited inbound
> port packets per minute coming from all over the world. I have an
> dynamic IP address assigned by my ISP, so I know the senders are
> scanning an whole subnet range of IP address for the ports they
are
> interested in.  I have to pay for this background packet noise in
> bandwidth usage surcharges.  I decided to research and try to
build
> an process to report this abuse to the ISP's who own the source IP
> address that is scanning the whole subnet ranges of IP address I
> belong to.

A significant part of those scans have spoofed source addresses.
Unless you complete a three-way handshake (for TCP scans only, of
course) and thus validate the source address, your observations are
probably not worth reporting.

--
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: bigpond.com, di-ve.com, hotmail.com, jumpy.it,
libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com,
tatanova.com, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr,
yahoo.com.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEEBFPAA.fbsd_user>