"I do not recommend adding every IP listed at DShield to your filter" /understatement.
I took a short while to peruse the data collected and distributed by DShield. I don't believe I need to go into the many reasons (I'm sure you know yourself) why this information is completely unreliable, but worse, possibly damaging.
/overstatement ;-) DShield data is not 'completely unreliable'. However, in order to use it, one has to understand and take into account how it is collected. If you find one of your machines listed as 'attackers', you may want to take a closer look at the reports. If it turns out that the machine in question is your DNS server, and the reports listed are port 53 requests, you can probably assume that everything is fine, in particular if there are only a few reports. We (DShield) don't apply any filters, but this doesn't indicate that you shouldn't. We do no apply any filters because we do not know your network configuration. In several cases, we added IPs to our 'false positive' list of IPs which we consider as common sources of false positive reports. For example, root DNS servers are on this list, some large load balancers and some port scan sites (Shields Up...) -- --------------------------------------------------------------- jullrich@sans.org Collaborative Intrusion Detection join http://www.dshield.org