Open Source Tools: MyNetWatchman
As an internet security analyst, one of the tough jobs is determining the intent of an attacking IP address. The intent can often make the difference in the response you wish to apply to prevent damage from an attack. For instance, if the attacking IP is just part of a larger botnet, then it is probably standard reconnaissance of a network, and an active filter probably does not have to be applied to lock out the host. However, if the host keeps coming back and trying newer and more aggressive attacks, you have to lock him out.
There are very few public databases that will provide information on what a specific IP address is doing on the internet. Sans.org has one. But the best by far is the database hosted by MyNetwatchman.com.
MyNetwatchman was invented by Lawrence Baldwin as a simplification tool to a very annoying problem for ISP operators. You see, people who care about attacking IP’s will often send an email to the abuse department. But when a host is infected with a worm or a botnet, that ISP may get dozens of emails about the same problem. The extra emails don’t help- in fact, such a deluge of mail might just get them ignored.
So Baldwin takes correlated attack data from all of his participating members and sends just a single alert to the abuse department. And that data is accurate and is often acted on very quickly. And the responses by the ISP’s to the attacks are published for everyone to see.
The side benefit is that Baldwin also keeps an historical and searchable database that will show if a particular attacking IP has also attacked other people as well. If it has, chances are that the host is a botnet zombie or infected with a worm. And if it does not show up in the history, chances are that the attack is targeted and you should block the offending IP.
So if you are running a personal firewall and want to help put a stop to internet scanning, sign up to be a participant. You just have to be running a compatible firewall.
