"/overstatement" -- fair enough. I don't mean to diminish the effort. I guess it is the unused potential that gets under my skin here. This could actually be an extremely useful tool for research if the data had some sense of accountability. "one has to understand and take into account how it is collected" Based on your methods of collection, with minimal work, one could make 167.216.198.40 #1 on Most Wanted list (assuming sans.org is not on the false positive's list). Anyway, that's my $.02... I'll mind my own business now GL, j -----Original Message----- From: Johannes Ullrich [mailto:jullrich@sans.org] Sent: Sunday, July 28, 2002 4:24 PM To: jnull Cc: nanog@merit.edu; info@dshield.org; info@sans.org Subject: Re: Dshield.org
"I do not recommend adding every IP listed at DShield to your filter" /understatement.
I took a short while to peruse the data collected and distributed by DShield. I don't believe I need to go into the many reasons (I'm sure you know yourself) why this information is completely unreliable, but worse, possibly damaging.
/overstatement ;-) DShield data is not 'completely unreliable'. However, in order to use it, one has to understand and take into account how it is collected. If you find one of your machines listed as 'attackers', you may want to take a closer look at the reports. If it turns out that the machine in question is your DNS server, and the reports listed are port 53 requests, you can probably assume that everything is fine, in particular if there are only a few reports. We (DShield) don't apply any filters, but this doesn't indicate that you shouldn't. We do no apply any filters because we do not know your network configuration. In several cases, we added IPs to our 'false positive' list of IPs which we consider as common sources of false positive reports. For example, root DNS servers are on this list, some large load balancers and some port scan sites (Shields Up...) -- --------------------------------------------------------------- jullrich@sans.org Collaborative Intrusion Detection join http://www.dshield.org