nanog mailing list archives

RE: Dshield.org

From: "jnull" <jnull () truerouting com>
Date: Sun, 28 Jul 2002 16:59:57 -0500


"/overstatement" -- fair enough. I don't mean to diminish the effort.

I guess it is the unused potential that gets under my skin here. This
could actually be an extremely useful tool for research if the data had
some sense of accountability.

"one has to understand and take into account how it is collected" 
Based on your methods of collection, with minimal work, one could make
167.216.198.40 #1 on Most Wanted list (assuming sans.org is not on the
false positive's list).

Anyway, that's my $.02... I'll mind my own business now

GL,

j

-----Original Message-----
From: Johannes Ullrich [mailto:jullrich () sans org] 
Sent: Sunday, July 28, 2002 4:24 PM
To: jnull
Cc: nanog () merit edu; info () dshield org; info () sans org
Subject: Re: Dshield.org

"I do not recommend adding every IP listed at DShield to your filter"
/understatement. 

I took a short while to peruse the data collected and distributed by
DShield. I don't believe I need to go into the many reasons (I'm sure
you know yourself) why this information is completely unreliable, but
worse, possibly damaging.


/overstatement ;-)

DShield data is not 'completely unreliable'. However, in order to use
it, one has to understand and take into account how it is collected.

If you find one of your machines listed as 'attackers', you may want
to take a closer look at the reports. If it turns out that the machine
in question is your DNS server, and the reports listed are port 53
requests, you can probably assume that everything is fine, in particular
if there are only a few reports.

We (DShield) don't apply any filters, but this doesn't indicate that you
shouldn't. We do no apply any filters because we do not know your
network
configuration.

In several cases, we added IPs to our 'false positive' list of IPs which
we consider as common sources of false positive reports. For example,
root DNS servers are on this list, some large load balancers and some
port scan sites (Shields Up...)



-- 
---------------------------------------------------------------
jullrich () sans org             Collaborative Intrusion Detection
                                    join http://www.dshield.org

Current thread:

Bogon list or Dshield.org type list alsato (Jul 27)
- RE: Bogon list or Dshield.org type list Phil Rosenthal (Jul 27)
  - Re: Bogon list or Dshield.org type list Johannes Ullrich (Jul 27)
    - Re: Bogon list or Dshield.org type list Charles Sprickman (Jul 28)
    - Re: Bogon list or Dshield.org type list John Palmer (NANOG Acct) (Jul 28)
    - Re: Bogon list or Dshield.org type list Måns Nilsson (Jul 29)
    - RE: Dshield.org jnull (Jul 28)
    - Re: Dshield.org Johannes Ullrich (Jul 28)
    - RE: Dshield.org jnull (Jul 28)
- RE: Bogon list or Dshield.org type list jnull (Jul 27)
- <Possible follow-ups>
- RE: Bogon list or Dshield.org type list michael . dillon (Jul 29)
  - Re: Bogon list or Dshield.org type list Peter E. Fry (Jul 29)
  - RE: Bogon list or Dshield.org type list jnull (Jul 29)
    - RE: Bogon list or Dshield.org type list Dan Hollis (Jul 29)