Tools for LARTing large nets of compromised boxen?

One of our customers is (has been) under concerted attempt at a DDoS attack against their web server off and on for a while. I've lists of IPs, lots of them, many hundreds. I'd like to know if anyone has a tool that will take and match these lists of IPs into abuse contacts and fire off a LART to the appropriate RP for the IP, but only one per full set, IE if RP-A has IP A.B.C.D and A.B.C.C he should get one mail clue-batting him for both IPs.

Any help? TIA!

And before you go off on me YES these are the RESPONSIBLE boxen. There might be a CnC behind the drones but I'd have no way of obtaining that without cooperation. The actual attack is an old closed attack against phpBB so I've got web transactions on each of these bastards, not just an incoming UDP fart.

It's not an actual tool for doing the whole job, but you could use "bulk mode" on to turn your list of IPs [and timestamps?] into a a list of "AS | IP | Timestamp | AS Name". Send a help request to the whois server for instructions.

Once you have that, you could pretty easily split it by AS#, grab email addresses from whois records for the AS#'s, and email each AS#'s data to their ASN POCs.

You could also post a URL to the full output from your cymru whois here, and someone would likely forward the data to nsp-sec.

I received quite a few good responses, I've ended up using and from the list below (found at the same place).

Thanks again everyone.

IASON was pointed out but seems incomplete and

Another member pointed out that Cymru WHOIS server has a bulk mode input to turn IP lists into source ASNs. and whois:// from along with from same is what I ended up using. I had to write a pattern to match, and remove other patterns to prevent accidental matches but this ended up doing what I wanted.

I got some other responses, some duplicates too. I've anonymized responses since I'm not sure if the off-list responders wish to be identified.