How do I let an attacker know that I know he has attemped to enter my system? I have the attackers IP address and his DNS name. What do I do with this this information to inform the attacker that I know what he's up to?

Thank you

Assuming you're 100% confident it *is* a hack attempt and not something else... Many times I see messages from people who install Windows firewall software and immediately think they're getting 20 hack attempts an hour where in reality it's P2P file sharing clients trying to attach to them because someone running a P2P server had their IP address before they did.

Anyway, assuming it really is a hack attempt keep good records. There is not much you can do but at the very least you could find out who their ISP is and email their fraud/abuse department. Go to www.arin.net and do a whois against the IP to see who owns that IP address. It might show AT&T then a smaller regional ISP then a mom-n-pop ISP. AT&T might own a contiguous block of millions of IPs, provide a 16K IP block to a large IP buying bandwidth from them who issues a couple of Class C's to a smaller ISP buying connectivity from them. Make sure you deal with the end-user ISP, the company this person actually pays. If you try upstream with AT&T(example only) or the large regional ISP you'll probably get nowhere.

Anyway, with this ISPs info surf to their site, find contact info and email all the details you can on what the person has done or has tried to do. Be very specific, include all the details you can...

Good luck!

try www.dshield.org

When I see a systematic scan of my system, port 35, 36, 37 or someone hitting my port(s) rapidly (i.e. not some url pointing to the wrong place with 4 second timeout kind of thing),

ping -f <ip address>

You won't get a reply back because they invariably protect themselves, but it will get you noticed. It never fails to shut them up, at least for me, and I like to think it causes a minor shock to be singled out so quickly.

Occasionally, I will disable my firewall, perform a traceroute and once I get their ISP info, email the traceroute and the trace from /var/log/messages to the ISP. I have successfully gotten 3 people booted off their ISP (confirmed, that is. Usually the ISP doesn't reply, so I don't know about the rest). Usually only do this when I feel like it. I keep my system up to date, full stealth on all ports, etc.

RO.

P.S. I use firestarter because of it's available GUI showing hits in real time. I have it sticky on all desktops.

How do I let an attacker know that I know he has attemped to enter my system?
I agree with what is written above, but determining plausibility/gravity of the attack should be the best thing to start with. For example if someone probes for typical MICROS~1 stuff like TCP/1433,1434 (MsSQL, WINS), and you don't provide those services, then simply discard 'em, cuz pursuing those are a waste of time. OTOH, if there's an Apache, Sendmail or OpenSSH exploit doing the rounds, then finding out the location and remote OS can be helpfull in determining the "leetness factor" of your opponent.
In the end the decision what to pursue based on "interesting" scans (IMO) depends on what services you provide, the scan pattern, the IP range it's coming from and the remote OS.

For this I use some simple firewall tools, Snort and P0f. The firewall scripts summarize/track in/outbound traffic to help me try 'n get a fix on any probing patterns (like a single ping a few days before a specific probe), Snort helps me determine if an known exploit is used and saves tcpdumps as "evidence" (comes in handy when it's an unknown or new 'sploit) and P0f helps me determine remote OS characteristics. If I can't get a fix on the remote OS I'll try a remote Nmap. Tracking location can be done by simply resolving the hostname, but if you're paranoid you'll use Tcptraceroute, L4T (make sure your TTL ends x hops *before* the endpoint) or a remote service. If you didn't already, checking Isc.incidents.org, Bugtraq and SF for trends and new 'sploits and Dshield for activity from the IP/range will help as well.

Like mentioned before the chance your email (well-written, detailed and accompanied by tcpdumps and logs (UTC time!)) will end up in the bitbucket is usually large. In interesting cases this should not be a point and you should pursue alerting the ISP (and ISC/SANS and/or Dshield/MyWatchthingie) anyway.

RolledOat.....
"P.S. I use firestarter because of it's available GUI showing hits in real time. I have it sticky on all desktops."
How do you make it sticky on all desktops???
Sorry...I know stupid newbie question

Very easy. I have KDE, but most have this option. Right click on the top navbar for the firestarter window, select 'To Desktop-->All Desktops'. Then, do the same and select 'Always on Top'. I then put it in the upper right hand corner and can see it scrolling continually. I use dialup, so I do this everytime I connect, but it takes about 5 seconds now that I have done it a hundred times. :-)

RO

RolledOat.............Thanx man!!!!!!!!