[50418] in North American Network Operators' Group
Re: Dshield.org
daemon@ATHENA.MIT.EDU (Johannes Ullrich)
Sun Jul 28 17:29:06 2002
Date: Sun, 28 Jul 2002 17:24:28 -0400
From: "Johannes Ullrich" <jullrich@sans.org>
To: "jnull" <jnull@truerouting.com>
Cc: nanog@merit.edu, info@dshield.org, info@sans.org
In-Reply-To: <005101c23669$af4a18d0$110010ac@packet>
Errors-To: owner-nanog-outgoing@merit.edu
> "I do not recommend adding every IP listed at DShield to your filter"
> /understatement.
>
> I took a short while to peruse the data collected and distributed by
> DShield. I don't believe I need to go into the many reasons (I'm sure
> you know yourself) why this information is completely unreliable, but
> worse, possibly damaging.
/overstatement ;-)
DShield data is not 'completely unreliable'. However, in order to use
it, one has to understand and take into account how it is collected.
If you find one of your machines listed as 'attackers', you may want
to take a closer look at the reports. If it turns out that the machine
in question is your DNS server, and the reports listed are port 53
requests, you can probably assume that everything is fine, in particular
if there are only a few reports.
We (DShield) don't apply any filters, but this doesn't indicate that you
shouldn't. We do no apply any filters because we do not know your network
configuration.
In several cases, we added IPs to our 'false positive' list of IPs which
we consider as common sources of false positive reports. For example,
root DNS servers are on this list, some large load balancers and some
port scan sites (Shields Up...)
--
---------------------------------------------------------------
jullrich@sans.org Collaborative Intrusion Detection
join http://www.dshield.org
