Dshield.org

• Previous message (by thread): Dshield.org
• Next message (by thread): Bogon list or Dshield.org type list
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"/overstatement" -- fair enough. I don't mean to diminish the effort.

I guess it is the unused potential that gets under my skin here. This
could actually be an extremely useful tool for research if the data had
some sense of accountability.

"one has to understand and take into account how it is collected" 
Based on your methods of collection, with minimal work, one could make
167.216.198.40 #1 on Most Wanted list (assuming sans.org is not on the
false positive's list).

Anyway, that's my $.02... I'll mind my own business now

GL,

j

-----Original Message-----
From: Johannes Ullrich [mailto:jullrich at sans.org] 
Sent: Sunday, July 28, 2002 4:24 PM
To: jnull
Cc: nanog at merit.edu; info at dshield.org; info at sans.org
Subject: Re: Dshield.org


> "I do not recommend adding every IP listed at DShield to your filter"
> /understatement. 
> 
> I took a short while to peruse the data collected and distributed by
> DShield. I don't believe I need to go into the many reasons (I'm sure
> you know yourself) why this information is completely unreliable, but
> worse, possibly damaging.

/overstatement ;-)

DShield data is not 'completely unreliable'. However, in order to use
it, one has to understand and take into account how it is collected.

If you find one of your machines listed as 'attackers', you may want
to take a closer look at the reports. If it turns out that the machine
in question is your DNS server, and the reports listed are port 53
requests, you can probably assume that everything is fine, in particular
if there are only a few reports.

We (DShield) don't apply any filters, but this doesn't indicate that you
shouldn't. We do no apply any filters because we do not know your
network
configuration.

In several cases, we added IPs to our 'false positive' list of IPs which
we consider as common sources of false positive reports. For example,
root DNS servers are on this list, some large load balancers and some
port scan sites (Shields Up...)



-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org

• Previous message (by thread): Dshield.org
• Next message (by thread): Bogon list or Dshield.org type list
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]