[Dshield] Opinion

John Sage jsage at finchhaven.com
Sun Sep 15 19:54:55 GMT 2002


This sort of idea comes up every now and then...

On Sun, Sep 15, 2002 at 07:04:00PM +0200, Gsw wrote:
> What do you think about an automatic email to administrator of offending ip ?

First of all, what do you mean when you say "web attack", below?

If you have really experienced a probe or an exploit attempt, then the
rest pertains...

The general problem is that very often the whois for the IP address is
not specific enough to get you really close to who might have
authority to really *do* something.

(And this says nothing about the large quantity of totally bogus whois
information that's out there..)

The guy you're going to pick on, below, is probably the administrative
contact for all of Global One Italy.

Is he directly responsible for abuse reports?

I'll bet not.

What if Global One Italy has allocated that IP address as part of a
larger block to an ISP? Or to a private business?

Then it's not his responsibility at all, although as the upstream,
there might be some reason to notify him of chronic abuse, or a
DDoS...


> I explained better:
> 
> I receive an web attack from: 194.235.164.2 (12 set 2002)
> 
> I look on whois :
> inetnum:      194.235.164.0 - 194.235.167.255
> netname:      IT-GLOBALONE
> descr:        Global One Italy
> country:      IT
> admin-c:      GB6685-RIPE
> tech-c:       GIT1-RIPE
> rev-srv:      dns.global-one.it
> status:       ASSIGNED PA
> remarks:      global-one.it
> notify:       italy.ipgroup.list at globalone.net
> mnt-by:       AS4000-MNT
> changed:      richard.obengmarnu at globalone.net 20000315
> source:       RIPE
> 
> person:       Giuseppe Brevi
> address:      Global One Communications Spa
> address:      Via Tucidide 56
> address:      I-20134 Milano
> address:      Italy
> phone:        +39 02 752891
> fax-no:       +39 02 76119023
> e-mail:       beppe.brevi at globalone.net
> nic-hdl:      GB6685-RIPE
> remarks:      Global One is a member of the France Telecom Group
> mnt-by:       GLOBALONEIT-MNT
> changed:      marco.perduca at equant.com 20020801
> source:       RIPE
> 
> 
> I can write a note for this address: beppe.brevi at globalone.net
> 
> to inform about web attack.
> 
> 
> What do you think about?


Best bet: use the Fight Back! feature available at DShield...


- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list