Abuse reporting based on whois

fbsd_user fbsd_user at a1poweruser.com
Sat May 22 11:33:56 PDT 2004

If the source ips are spoofed, what purpose do they do other than
consume bandwidth.

I believe the senders are script kiddies probing for know ports that
backdoors, spyware or Trojans are know to use.

-----Original Message-----
From: Florian Weimer [mailto:fw at deneb.enyo.de]
Sent: Saturday, May 22, 2004 2:09 PM
To: fbsd_user at a1poweruser.com
Cc: freebsd-isp at FreeBSD. ORG
Subject: Re: Abuse reporting based on whois

* fbsd user:

> My ipfilter firewall is blocking  35 to 150 un-solicited inbound
> port packets per minute coming from all over the world. I have an
> dynamic IP address assigned by my ISP, so I know the senders are
> scanning an whole subnet range of IP address for the ports they
> interested in.  I have to pay for this background packet noise in
> bandwidth usage surcharges.  I decided to research and try to
> an process to report this abuse to the ISP's who own the source IP
> address that is scanning the whole subnet ranges of IP address I
> belong to.

A significant part of those scans have spoofed source addresses.
Unless you complete a three-way handshake (for TCP scans only, of
course) and thus validate the source address, your observations are
probably not worth reporting.

Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: bigpond.com, di-ve.com, hotmail.com, jumpy.it,
libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com,
tatanova.com, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr,

More information about the freebsd-isp mailing list