First off, given the IP address, you need to figure out what domain the
attacker is coming from. You can get this by using the nslookup command
in Windows NT/2000/XP and Unix. At a command prompt, type nslookup. Then,
at the ">" prompt, type the IP address. You'll get the domain name back,
such as www.counterhack.net. Now, go to InterNIC to find out where this
domain name was registerd. At www.internic.net/whois.html, type in the
end of the domain name, such as counterhack.net. The response will tell
you the registrar that site used to register their domain name, such as:
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Go to this whois server and do a look-up of the domain name again. Finally, you'll get the data you want. The response will include a human name, phone number and e-mail address responsible for technical oversight of that domain. You can contact that person and let them know that someone on their domain space appears to be attacking you. They may ignore you, but it's possible you'll get their attention. Send them some log snippets explaining the attack. Also, it's possible that the administrator is the one that is attacking you. Still, your e-mail or phone call may act as a warning so they'll stop.
Also, you can report attacks to the Computer Emergency Response Team Coordination Center at Carnegie Mellon University. They collect information about attacks and sometimes offer help in stopping them. Their main site is at www.cert.org, and their incident reporting page is at https://irf.cc.cert.org/.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Law, Public Policy and Standards
This was first published in November 2002