This morning a DOS attack was detected. It occurred at around 8:50..........The remote host? 206.107.239.109, which has valid reverse DNS of cblmdm206-107-239-109.buckeye-express.com..............I did a traceroute and found out that it was based in Toledo, Ohio.

This is what I managed to compile:
Buckeye: Denial of Service "Code Red" attack detected.
Description:
A Code Red attack from outside is detected, it is a very dangerous virus that will deface your webpages, perform a denial-of-service attack, and even crash your system. (Protocol: TCP)
Traffic from IP address 206.107.239.109 is blocked from 06/24/2003 08:50:18 to 06/24/2003 09:00:18.

IPs involved:
206.107.239.109 (remote host)
Domain Servers:
208.16.180.5
208.16.180.6
IPs gained from Traceroute:
130.152.80.30
4.24.4.249
4.24.4.2
4.24.5.49
64.159.4.29
209.247.9.214
209.0.227.38
152.63.115.142
152.63.112.42
152.63.1.145
152.63.68.81
152.63.67.130
152.63.67.49
152.63.69.185
65.195.240.226
208.16.181.21

Registrant:
Buckeye Cablevision, Inc. (BUCKEYE-EXPRESS-DOM)
5566 Southwyck Boulevard
Toledo, OH 43614
US

Domain Name: BUCKEYE-EXPRESS.COM

Administrative Contact:
Shryock, Paul W (pws4) [email protected]
Buckeye Cablevision, Inc.
5566 Southwyck Blvd
Toledo, OH 43614-1576
US
419-724-9802 fax: 419-724-7074
Technical Contact:
Access Toledo (DT1970-ORG) [email protected]
4818 Angola Rd
Toledo, OH 43615
US
419-724-4000 fax: 419-724-4001

Record expires on 05-Oct-2003.
Record created on 15-Oct-2002.
Database last updated on 24-Jun-2003 13:30:39 EDT.

Domain servers in listed order:

NS1.ACCESSTOLEDO.COM 208.16.180.5
NS2.ACCESSTOLEDO.COM 208.16.180.6

Attached is a screen shot.............my question is........Why in the hell would these guys try to aggressively attack my PC on 2 counts? Anyone else get this often? I'm on a dialup modem.......Secondly how worried should I be about this?.....Is this P2P related?....Other than blocking these IPs is there anything else sensible I can do?.......I had Kazaa and PG running at the time. I should have closed my browser before I went to bed. I also had Ad Subtract Pro going, that's it. Thanks.

he probably didn't.

the thing is that his server is probably infected with code red, and is trying to infect your server. simple as that. you should probably e-mail him and tell him to get all of the updates on WindowsUpdate then goto mcafee.com and get the clean-up tool.

........................

some of those ip addresses look quite familiar.
dont allow outbound tcp connections or incoming bound connections from those ip addresses.
peace

send those peopel a messages telling them to get a better system and to stop being dumbasses at a corp dont you think they should have everything updated?

Well my two most major concerns were that it was a company sent to do RIAA's evil bidding.......yet another scanner...........or a malicious hacker that for one reason or another targeted me. I'm still not convinced that it's not the first one. I consider my security generally tight.

I don't see how they could have tried to infect me. I had no communication with this corp whatsoever.........Maybe I'm paranoid, but it seems a little bit coincidental/suspicous to me.

I think you should only be worried if you run servers and you have open ports.

I really really hate personal firewall software that reports trivial stuff as a
"DOS attack" or calls a ping an "ICMP attack. I am not sure if they do it to
make it seem risky and exciting or to scare lamers into paying them more money
for a pro version or somthing.

I have a log of all the incoming chatter on my port 80 from febuary.
3500 codered/nimbda exploit attempts in a month from about 12 different
hosts per day.

Amuse yourself complaints if you wish. You will get no reply or a
"You have been allocated incident number #107346776347" automated
reply. Even if they find the person stupid enough to connect
microsoft IIS to the internet and beat him to death with an XT keyboard you
will get nothing more than a "this incident has been invesdigated
and is now closed" response.

>You might find yourself in trouble.
No he won't. There is nothing wrong with telling people about an infected machine.

>Congrats. you just helped screw this guy over.
He screw himself through his own stupidity