i've had absolutely no luck getting the source isp's to care about the problems i've seen at my home firewall in recent weeks. (see below if you wonder whether i'm implicating anyone here.) there's no other way to view the internet than as a worm-infested zombie.
hehe... I know the feeling. With DShield, we try hard to send out correlated and filtered reports in a standardized format to valid 'contact' addresses. There are some success stories, but more misses than hits overall. The 'misses' fall into two categories: - ignored/bad contact/ ( /dev/null group ) - or the "portscanning is not a crime" group. (at least they respond). What is an appropriate reaction if an ISP receive an abuse report? I know abuse@ is getting swamped with Excel Spreadsheets, screenshots and hate mail, and most of them are 'begnin' (P2P file sharing after glow and the like). But would it be too much for an ISP to send an email to the customer as they receive the first reports, a phone call after the third ... ? (BTW: Any ISPs here that would like a daily unfiltered report? I just streamlined that function last week.) here some dshield data for the IPs in your list
Jan 1 18:40:44 fwlha /kernel: ipfw: 1800 Deny TCP 64.139.35.209:2559 204.152.184.163:21 in via dc0
scanned 9 different targets , > 30 days ago
Jan 3 06:15:19 fwlha /kernel: ipfw: 1800 Deny TCP 80.145.56.173:2113 204.152.184.163:57 in via dc0 Jan 3 06:15:37 fwlha /kernel: ipfw: 1800 Deny TCP 80.145.56.173:2595 204.152.184.163:21 in via dc0 Jan 3 06:15:40 fwlha /kernel: ipfw: 1800 Deny TCP 80.145.56.173:2595 204.152.184.163:21 in via dc0
2 targets, > 30 days ago... TONLINE is receiving a daily summary report from us. For a while, they bounced it forth and back between departments for days. Now they just /dev/null it I think.
Jan 4 09:02:17 fwlha /kernel: ipfw: 1800 Deny TCP 193.251.0.37:4992 204.152.184.163:21 in via dc0 Jan 4 09:02:20 fwlha /kernel: ipfw: 1800 Deny TCP 193.251.0.37:3314 204.152.184.163:21 in via dc0
Wanadoo.fr... do I need to say more?
Jan 12 23:21:16 fwlha /kernel: ipfw: 6400 Deny TCP 212.202.170.154:3540 204.152.188.2:21 in via vlan0
3 different tagets... does ftp and P2P... -- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org