On 19/01/2001, Jon Bentley <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> We just came under a DNS/TCP scan from host 63.72.190.60. The scan
> went sequentially through every IP across two disparate netblocks.
>
> Next step is to look up (NSI) and contact the ISP for this address. Problem
> is that NSI shows "[No name]" for this IP, and I cannot seem to locate a
> responsible party.
Wrong in target.
You look for *IP* Addresses, which are not at NSI [Thanks for that], but
they are at ARIN, or are delegated from there to RIPE or APNIC.
So:
$ whois -h whois.arin.net 63.72.190.60
[..]
UUNET Technologies, Inc. (NETBLK-UUNET63) UUNET63 63.64.0.0 - 63.127.255.255
The Internet Advisory Group (NETBLK-UU-63-72-190) UU-63-72-190 \
63.72.190.0 - 63.72.190.255
$ whois -h whois.arin.net UU-63-72-190
The Internet Advisory Group (NETBLK-UU-63-72-190)
2455 E Sunrise Blvd
Fort Lauderdale, FL 33304
US
[..]
> My next thought is to traceroute/ping-R and find the one-upstream vendor
> and contact their abuse department (assuming they have one), but that could
> be construed as scanning the other network (which could get us in trouble).
Anyone considering a *single* traceroute as a scanning should be removed
from the net. :>
> What to do?
Read more about it :]
ciao
--
Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | <double-p>
%SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time.
Artificial Intelligence stands no chance against Natural Stupidity.
[X] <-- nail here for new monitor
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
