Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How do I find an ISP?

Posted on 2005-03-05
Medium Priority
Last Modified: 2010-04-11

Here is the text of the trace back of one of my port attacks.  How do I find who the ISP is?  Should I use the abuse phone number or the abuse e-mail address to complain?  I'm using Sygate Personal Firewall.  Thank you!

OrgName:    Internet Assigned Numbers Authority
OrgID:      IANA
Address:    4676 Admiralty Way, Suite 330
City:       Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:    US

NetRange: -
NetName:    MCAST-NET
NetHandle:  NET-224-0-0-0-1
NetType:    IANA Special Use
NameServer: FLAG.EP.NET
NameServer: NS.ISI.EDU
NameServer: NIC.NEAR.NET
Comment:    This block is reserved for special purposes.
Comment:    Please see RFC 3171 for additional information.
RegDate:    1991-05-22
Updated:    2002-09-16

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   Internet Corporation for Assigned Names and Number
OrgAbusePhone:  +1-310-301-5820
OrgAbuseEmail:  abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   Internet Corporation for Assigned Names and Number
OrgTechPhone:  +1-310-301-5820
OrgTechEmail:  abuse@iana.org

# ARIN WHOIS database, last updated 2005-03-05 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Question by:Lucynka
  • 3
  • 2
LVL 38

Expert Comment

by:Rich Rumble
ID: 13470221
Igmp attack? Sounds like spoofed packets... or just your box responding to someone multicast session.
NetType:    IANA Special Use
Comment:    This block is reserved for special purposes.
Comment:    Please see RFC 3171 for additional information.
http://www.faqs.org/rfcs/rfc3171.html (is this from a lan, or are you recieving this traffic through your internet connection)
Read here for a better understanding of multicast: http://en.wikipedia.org/wiki/Multicast
and IGMP http://en.wikipedia.org/wiki/Internet_Group_Management_Protocol
Again, it's broadcast traffic, so if other users on the same ip range/subnet are using one of the many multicast applications out there- your firewall could pick up on it. Or someone is spoofing packets, and a multicast server is then sending them to you be cause it thinks you want them.

Assisted Solution

tmehmet earned 480 total points
ID: 13470649

>Here is the text of the trace back of one of my port attacks

So basically you are are seeing multiple sources trying to scan you.

You need to know something about the internet, its much like the ocean. Traffic will come to you in waves, sometimes its qiet and sometimes its very busy. The fact that you are seeing multiple source addresses means that they are either spoofed (likely) or you are not popular for some reason.

the fact that you have apparently been scanned by IANA  reserved addresses (!!!!!!!!) suggests that you are definately seeing a spoofed scan. If you cant verify that the source is definately attacking you (not just portscanning) then you should not complain and you should be happy in the knowldge that you are able to detect such things, something many internet users know nothng about.

At this time, if all you are seeing is a port scan, you will not be in a position to complain becuase a) its not illegal b) the source is spoofed, complaining to IANA will not help becuase any of the many millions of users in the world could have generated that traffic, there is nothing IANA can do, they can ask millions of users to 'own up' to spoofing an address from their reserved range.


Expert Comment

ID: 13470664
if you really want to complain, you must go thru their abuse email, it is listed in your original post.


LVL 38

Accepted Solution

Rich Rumble earned 520 total points
ID: 13470737
You have not been scanned by iana... please read about the ip reservation in the RFC and the definition on http://en.wikipedia.org/wiki/Multicast
Most likely it's spoofed data someone sent to mbone or some other multicast service, and then the request's were sent to you- This sort of traffic is very common around universities, espically the ones that are part of the mbone structure.
LVL 38

Expert Comment

by:Rich Rumble
ID: 13470749
This link should help both to understand more:
So if your seeing traffic from these address's it's likely a misconfigured router, or you NIC is in promiscious mode and picking up on traffic that is actually not intended for you.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question