reporting port scaning abuse based on whois

JJB Barbish3 at adelphia.net
Tue May 18 16:12:16 PDT 2004 

My ipfilter firewall is blocking  35 to 150 port scan packets per
minute coming from all over the world. I have an dynamic IP address
assigned by my ISP, so I know the senders are scanning an whole
subnet range of IP address for the ports they are interested in.  I
have to pay for this background packet noise in bandwidth usage
surcharges.  I decided to research and try to build an process to
report this abuse to the ISP's who own the source IP address that is
scanning the whole subnet ranges of IP address I belong to.

I pieced together an perl script from many other sources that reads
the ipfilter ipmon log creating an structured file with the source
and target ip address padded with zeros to sort the source ip
address into sequence, then I read the sorted file and do an whois
lookup on the source ip address and scan the whois output for an
abuse@ domain name building an email including the log records as
evidence and send it.  This process only found abuse@ email address
for about 30% of the abusive port scan traffic being blocked.
Manually doing whois on some of the remainder, I see many different
reporting abuse email address.  I guess abuse@ is not an standard
naming convention.

An I going about this the correct way, or is there some other way I
should be doing this?
Is whois ip addr the only way to find the owner of the ip address
block?

Do any of the readers of this list have an perl script that does
something like what I an trying to do, that  they would share,  or
exchange in return for receiving an copy of mine?

I am thinking about changing the way I search the whois output for
abuse@,  to scanning the output one position at an time for @ then
parse left and right of it to first blank to capture email address,
then save it in table and continue with scan looking for another
email address. Then interrogate the harvested email address in the
table for abuse, spam, tech or webmaster to choose best email
address to send my reporting abuse email to.  The problem is my perl
coding ability is not sufficient to accomplish this.  An sample scan
routine sure would go a long way in enabling me to  understand the
coding technique so I could modify it to my purposes.

Any comments or coding help sure would be helpful.

Thanks

More information about the freebsd-questions mailing list