Dshield.org

• Previous message (by thread): Bogon list or Dshield.org type list
• Next message (by thread): Dshield.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"I do not recommend adding every IP listed at DShield to your filter"
/understatement. 

I took a short while to peruse the data collected and distributed by
DShield. I don't believe I need to go into the many reasons (I'm sure
you know yourself) why this information is completely unreliable, but
worse, possibly damaging. Offering this data, backed up by SANS name for
credibility, might entice a novice engineer to act upon it.

This:
"Disclaimer
DShield currently employs as little filtering of incoming reports as
possible. Most reports are sent anonymously. We do not know if these
logs are truthful, or if the firewall configuration was correct.
DShield.org will attempt to protect the identity of the submitter. If
you have a question regarding a specific target or source IP, please
send an e-mail to info at dshield.org." is insufficient
and-IMHO-irresponsible.

That said, I do believe your motives and purpose is worthwhile, but the
process completely undermines them both. If you're interested in
retooling the scripts and using registered and credible sources, I would
not only offer assistance in the effort but endorse it as well.

Jeff Nelson
PGP: 0x54B1A25C

"There are 10 types of people:
those that understand binary,
and those that do not.


-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Johannes Ullrich
Sent: Saturday, July 27, 2002 9:49 PM
To: pr at isprime.com
Cc: alsato at hotpop.com; nanog at merit.edu
Subject: Re: Bogon list or Dshield.org type list



I do not recommend adding every IP listed at DShield to your filter.
We do publish a 'block list', of the worst networks (based on reports
for the last 5 days). 

Quick note on our methods: We basically aggregate firewall logs and
offer summarized reports. The reports should allow everyone to apply
their own judgment.

For the block list:
http://www.dshield.org/block_list_info.html



On Sat, 27 Jul 2002 20:19:47 -0400
"Phil Rosenthal" <pr at isprime.com> wrote:

> I can comment on the dshield list.
> I have seen this before.  I am checking one particular IP on my
network
> that has a very popular freehost on it.  Checking the load balancer IP
> (connections cannot be originated from this IP) -- it shows that there
> were 13 attacks initiated from the IP, and 7 targets.  Whatever their
> algorithm is, it doesn't seem reliable enough for me to trust it if an
> IP that can not originate connections is listed as an attacker (albeit
> small on their list)
> --Phil
> 
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf
Of
> alsato
> Sent: Saturday, July 27, 2002 8:08 PM
> To: nanog at merit.edu
> Subject: Bogon list or Dshield.org type list
> 
> 
>  
> Im wondering how many of you use Bogon Lists and
> http://www.dshield.org/top10.html type lists on your routers?  Im
> curious to know if you are an ISP  with customers or backbone provider
> or someone else?  I have a feeling not many people use these on
routers?
> Im wondering why or why not? 
>  Ive never used them on my routers although I work for a new isp/cable
> provider.  Im thinking it would make my users happy to use them
though.
>  
>  
> alsato
> 
> 


-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org

• Previous message (by thread): Bogon list or Dshield.org type list
• Next message (by thread): Dshield.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]