When I ID an attacking host, I do send the ISP/admins a note. But I'd like faster reaction on the host's own part to self-defend because their reaction times almost always stink. Most of the attacks are from scripts being run on 0wned hosts around the world. Some real zombies, some just UNIX boxes some schmoe nailed. This morning's run of my script had some nice coincidental test data from .dk and .kr.

Whee. I'm still stunned at the sheer number of "security" people whose scripts can be casually used to DoS the host they're "protecting."