I have a debian sarge 3.1 2.6 i use portsentry to detect scans and log them.It does add the ip in the hosts.deny.I want you to have a look to this hosts.deny ip list which is full of ips coming from my isp's subnet i show you a sample:
ALL: 87.7.184.58
ALL: 87.7.51.231
ALL: 87.7.191.88
ALL: 87.7.254.159
ALL: 87.7.116.16
ALL: 87.7.210.154
ALL: 87.7.108.123
ALL: 87.7.13.230
ALL: 87.7.171.138
ALL: 87.7.49.196
ALL: 87.7.95.47
ALL: 87.7.80.213
ALL: 87.7.7.118
ALL: 87.7.95.37
ALL: 87.7.116.128

I don't think i was under an attak by my isp's users.I think they have been used as nmap DECOY,maybe,any ideas ?

Why they come from he same subnet ?A conspiracy against me from 87.7.0.0 network?A DDOS?

Post Update:
This scans come regulary from the sames subnets that portsentry don't block them because already in hosts.deny list.
Maybe just a real security expert can help me about this or that 's the way scan go infact i'm just a 1 year sysadm old ...

It could be a decoy or distributed scan, but I don't think that's very likely. Alot of windows malware are hard-coded to scan other machines on the local subnets or it could just be false positives. Do you know what ports are being scanned?

I have placed portsentry's "honeypots" on the netbios ports of the pubblic eth0,could be false positives if they were pubblic servers , what's the point of connecting to a pubblic samba share if not for crack it,right ?I will try configuring portsentry more relaxed but i believe more to the teory of a spammer-worm-ddos of some sorts because snort log samba-cups ports too ... (clear?)

Windows machines generate a good amount of netbios traffic under normal circumstances and windows machines that are infected with common viruses/worms can do alot of netbios scanning. In fact the windows netbios ports are usually one of the top scanned ports on the internet.

Well legion scanner is a cult,still don't understand "my isp's subnet conspiracy" ... !I have samba shares in my lan and my dad's window machine which is always switched off,it's all well filtered.
I would like also to find a nice way with iptables to limit Netbios broadcasts coming from my DMZ.
iptables -A OUPUT -s $DMZ -d ! 192.168.1.255/30 -j ACCEPT
With subnet 30 i will limit broadcasts to reach just the firsts 2 hosts,right?Any better than this?

Is your ip in the same subnet?
As Capt_Caveman said, maybe you are hit by a virus trying only the local subnet. Could also be that all others are blocked by anti-spoofing/anti-netbios rules at your isp.

Yes it is the tim.it subnet ... 82.59.0.0 ... and it still goes on !!!

UPDATE:
Afther more than a mounth i keep on getting the same my isps' subnets hammering on the front eth0 netbios ports:
Apr 28 09:57:31 localhost ippl: loc-srv connection attempt from 87.10.183.52
Apr 28 09:57:31 localhost ippl: loc-srv connection attempt from 87.10.183.52
Apr 28 09:58:09 localhost ippl: loc-srv connection attempt from 87.10.78.16
Apr 28 09:58:09 localhost ippl: loc-srv connection attempt from 87.10.78.16
Apr 28 10:00:23 localhost ippl: loc-srv connection attempt from 87.10.248.128
Apr 28 10:00:23 localhost ippl: loc-srv connection attempt from 87.10.248.128
Apr 28 10:00:31 localhost ippl: loc-srv connection attempt from 87.10.165.214
Apr 28 10:00:31 localhost ippl: loc-srv connection attempt from 87.10.165.214
Apr 28 10:00:32 localhost ippl: loc-srv connection attempt from 87.11.248.98
Apr 28 10:00:32 localhost ippl: loc-srv connection attempt from 87.11.248.98
Apr 28 10:00:41 localhost ippl: loc-srv connection attempt from 87.17.98.147
Apr 28 10:00:41 localhost ippl: loc-srv connection attempt from 87.17.98.147
Apr 28 10:00:45 localhost ippl: loc-srv connection attempt from 87.10.172.206
Apr 28 10:00:45 localhost ippl: loc-srv connection attempt from 87.10.172.206
Apr 28 10:01:04 localhost ippl: loc-srv connection attempt from 87.10.180.200
Apr 28 10:01:04 localhost ippl: loc-srv connection attempt from 87.10.180.200

Is it a worm ?It's getting annoying!

Probably. At any given moment on most ISPs network there are large numbers of windows machines infected with malware (worms/viruses) that perform scanning of local subnets and the netbios ports are always in the top scanned ports. Most people aren't aware of it, but that's the reality of todays internet.

If you are really curious, you can use ethereal or tcpdump to capture some of the packets (make sure to get a full dump of the payload and you might be able to narrow down the exact specious of malware. ALternatively you can setup a netcat listener on those ports, but I would recommend against that unless you know what you are doing.

It's getting annoying
You have their IP addresses. If it's coming from the same IPs or subnets you can use IP tables to ban them permanently.

You can use this, I've always wanted to try it but didn't yet as I have no connection at home, only at work:

http://labrea.sourceforge.net/labrea-info.html

Well i'm already playing with portsentry but blind i'm getting what you advised me,i will let you know !

I have read the INSTALL file in the laBrea.tar.gz it sounds it can mass up my routing tables and really looks like requires expert hands to play with !Have you tried it ?Any advice ?

UPDATE
Look this report from my router:
Mon, 2006-05-08 08:47:46 - TCP Packet - Source:87.7.108.35,4518 Destination:87.7.150.2,445 - [DOS]
Mon, 2006-05-08 08:47:49 - TCP Packet - Source:87.7.38.237,4720 Destination:87.7.150.2,445 - [DOS]
Mon, 2006-05-08 08:47:52 - Send E-mail Success!
Mon, 2006-05-08 08:59:27 - UDP Packet - Source:222.208.168.130,54068 Destination:87.7.150.2,1032 - [DOS]
Mon, 2006-05-08 08:59:31 - Send E-mail Success!
Mon, 2006-05-08 09:27:03 - LCP down....

This happens twice a day my connection goes down because this attacks.The list of ips is much longer than that with the majority coming from 85.38.0.0 or 87.37.0.0 networks.The route has a checkbox saying "protection aginst DOS attacks" but it dosn't seem to be working ,i'm desperate !!!!