Question:

What is the best way to report network abuse? (not spam, but network scans, tcp/fin, DDoS, etc.)



Answer:

Visit http://www.arin.net , lookup the abuse/admin-C for the IP doing the probing by entering the IP into the search box, Though the result may ask you to go to other 'Regional' IP lookup resources based on the location of the IP address such as APNIC , RIPE , LACNIC , KRNIC Etc... Just go to the URL for the correct lookup as ARIN suggests.

Most Abuse/NOC's will not even bother with reports of 'port probing' and the only time I push it is if the scan is clearly someone infected by a worm/trojan, or if they scan ports for well known worms/trojans.

Compose a short letter with 5 lines of the probe evidence (don't send your whole log)!
Don't send traceroute/whois info (Admins know what they are responsible for and dont need to be reminded).


 

Here's a sample of my letter which you may modify/use in such cases

Greetings Admin/Abuse,

The following Firewall log entries show a user from your netblock of assigned IPs attempting to exploit a Remote Access Trojan. Typically this is to gain unauthorized access/control over remote systems with that trojan installed.

Please investigate this issue and handle according to your Acceptable Use Policy.
* Note Reports of intrusions, exploits are shared with 3rd party reporting sites. Examples of such sites are: http://www.dshield.org http://www.mynetwatchman.com. http://www.doshelp.com
You can read more about this and other trojans at the website http://www.doshelp.com/trojanports.htm If you have further questions, please feel free to contact me.

Sincerely,
<Insert your name here>