Bogon list or Dshield.org type list
Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not? Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them though. alsato
I can comment on the dshield list. I have seen this before. I am checking one particular IP on my network that has a very popular freehost on it. Checking the load balancer IP (connections cannot be originated from this IP) -- it shows that there were 13 attacks initiated from the IP, and 7 targets. Whatever their algorithm is, it doesn't seem reliable enough for me to trust it if an IP that can not originate connections is listed as an attacker (albeit small on their list) --Phil -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of alsato Sent: Saturday, July 27, 2002 8:08 PM To: nanog@merit.edu Subject: Bogon list or Dshield.org type list Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not? Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them though. alsato
I do not recommend adding every IP listed at DShield to your filter. We do publish a 'block list', of the worst networks (based on reports for the last 5 days). Quick note on our methods: We basically aggregate firewall logs and offer summarized reports. The reports should allow everyone to apply their own judgment. For the block list: http://www.dshield.org/block_list_info.html On Sat, 27 Jul 2002 20:19:47 -0400 "Phil Rosenthal" <pr@isprime.com> wrote:
I can comment on the dshield list. I have seen this before. I am checking one particular IP on my network that has a very popular freehost on it. Checking the load balancer IP (connections cannot be originated from this IP) -- it shows that there were 13 attacks initiated from the IP, and 7 targets. Whatever their algorithm is, it doesn't seem reliable enough for me to trust it if an IP that can not originate connections is listed as an attacker (albeit small on their list) --Phil
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of alsato Sent: Saturday, July 27, 2002 8:08 PM To: nanog@merit.edu Subject: Bogon list or Dshield.org type list
Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not? Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them though.
alsato
-- --------------------------------------------------------------- jullrich@sans.org Collaborative Intrusion Detection join http://www.dshield.org
I looked up a nameserver that I once worked with and found that it is "attacking" from port 53. Needless to say, it's not hacked, it's answering queries. Charles -- Charles Sprickman spork@inch.com On Sat, 27 Jul 2002, Johannes Ullrich wrote:
I do not recommend adding every IP listed at DShield to your filter. We do publish a 'block list', of the worst networks (based on reports for the last 5 days).
Quick note on our methods: We basically aggregate firewall logs and offer summarized reports. The reports should allow everyone to apply their own judgment.
For the block list: http://www.dshield.org/block_list_info.html
On Sat, 27 Jul 2002 20:19:47 -0400 "Phil Rosenthal" <pr@isprime.com> wrote:
I can comment on the dshield list. I have seen this before. I am checking one particular IP on my network that has a very popular freehost on it. Checking the load balancer IP (connections cannot be originated from this IP) -- it shows that there were 13 attacks initiated from the IP, and 7 targets. Whatever their algorithm is, it doesn't seem reliable enough for me to trust it if an IP that can not originate connections is listed as an attacker (albeit small on their list) --Phil
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of alsato Sent: Saturday, July 27, 2002 8:08 PM To: nanog@merit.edu Subject: Bogon list or Dshield.org type list
Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not? Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them though.
alsato
-- --------------------------------------------------------------- jullrich@sans.org Collaborative Intrusion Detection join http://www.dshield.org
Yes - DSHEILD has our ORSC root server listed as well. I thought that was hilarious. ----- Original Message ----- From: "Charles Sprickman" <spork@inch.com> To: "Johannes Ullrich" <jullrich@sans.org> Cc: <nanog@merit.edu> Sent: Sunday, July 28, 2002 2:36 AM Subject: Re: Bogon list or Dshield.org type list
I looked up a nameserver that I once worked with and found that it is "attacking" from port 53. Needless to say, it's not hacked, it's answering queries.
Charles
-- Charles Sprickman spork@inch.com
On Sat, 27 Jul 2002, Johannes Ullrich wrote:
I do not recommend adding every IP listed at DShield to your filter. We do publish a 'block list', of the worst networks (based on reports for the last 5 days).
Quick note on our methods: We basically aggregate firewall logs and offer summarized reports. The reports should allow everyone to apply their own judgment.
For the block list: http://www.dshield.org/block_list_info.html
On Sat, 27 Jul 2002 20:19:47 -0400 "Phil Rosenthal" <pr@isprime.com> wrote:
I can comment on the dshield list. I have seen this before. I am checking one particular IP on my network that has a very popular freehost on it. Checking the load balancer IP (connections cannot be originated from this IP) -- it shows that there were 13 attacks initiated from the IP, and 7 targets. Whatever their algorithm is, it doesn't seem reliable enough for me to trust it if an IP that can not originate connections is listed as an attacker (albeit small on their list) --Phil
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of alsato Sent: Saturday, July 27, 2002 8:08 PM To: nanog@merit.edu Subject: Bogon list or Dshield.org type list
Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not? Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them though.
alsato
-- --------------------------------------------------------------- jullrich@sans.org Collaborative Intrusion Detection join http://www.dshield.org
--On Sunday, July 28, 2002 09:35:40 -0500 "John Palmer (NANOG Acct)" <nanog@adns.net> wrote:
Yes - DSHEILD has our ORSC root server listed as well. I thought that was hilarious.
Some might beg to differ. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
I can comment on the dshield list. I have seen this before. I am checking one particular IP on my network that has a very popular freehost on it. Checking the load balancer IP (connections cannot be originated from this IP) -- it shows that there were 13 attacks initiated from the IP, and 7 targets. Whatever their algorithm is, it doesn't seem reliable enough for me to trust it if an IP that can not originate connections is listed as an attacker (albeit small on their list) --Phil
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of alsato Sent: Saturday, July 27, 2002 8:08 PM To: nanog@merit.edu Subject: Bogon list or Dshield.org type list
Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not? Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them
"I do not recommend adding every IP listed at DShield to your filter" /understatement. I took a short while to peruse the data collected and distributed by DShield. I don't believe I need to go into the many reasons (I'm sure you know yourself) why this information is completely unreliable, but worse, possibly damaging. Offering this data, backed up by SANS name for credibility, might entice a novice engineer to act upon it. This: "Disclaimer DShield currently employs as little filtering of incoming reports as possible. Most reports are sent anonymously. We do not know if these logs are truthful, or if the firewall configuration was correct. DShield.org will attempt to protect the identity of the submitter. If you have a question regarding a specific target or source IP, please send an e-mail to info@dshield.org." is insufficient and-IMHO-irresponsible. That said, I do believe your motives and purpose is worthwhile, but the process completely undermines them both. If you're interested in retooling the scripts and using registered and credible sources, I would not only offer assistance in the effort but endorse it as well. Jeff Nelson PGP: 0x54B1A25C "There are 10 types of people: those that understand binary, and those that do not. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Johannes Ullrich Sent: Saturday, July 27, 2002 9:49 PM To: pr@isprime.com Cc: alsato@hotpop.com; nanog@merit.edu Subject: Re: Bogon list or Dshield.org type list I do not recommend adding every IP listed at DShield to your filter. We do publish a 'block list', of the worst networks (based on reports for the last 5 days). Quick note on our methods: We basically aggregate firewall logs and offer summarized reports. The reports should allow everyone to apply their own judgment. For the block list: http://www.dshield.org/block_list_info.html On Sat, 27 Jul 2002 20:19:47 -0400 "Phil Rosenthal" <pr@isprime.com> wrote: though.
alsato
-- --------------------------------------------------------------- jullrich@sans.org Collaborative Intrusion Detection join http://www.dshield.org
"I do not recommend adding every IP listed at DShield to your filter" /understatement.
I took a short while to peruse the data collected and distributed by DShield. I don't believe I need to go into the many reasons (I'm sure you know yourself) why this information is completely unreliable, but worse, possibly damaging.
/overstatement ;-) DShield data is not 'completely unreliable'. However, in order to use it, one has to understand and take into account how it is collected. If you find one of your machines listed as 'attackers', you may want to take a closer look at the reports. If it turns out that the machine in question is your DNS server, and the reports listed are port 53 requests, you can probably assume that everything is fine, in particular if there are only a few reports. We (DShield) don't apply any filters, but this doesn't indicate that you shouldn't. We do no apply any filters because we do not know your network configuration. In several cases, we added IPs to our 'false positive' list of IPs which we consider as common sources of false positive reports. For example, root DNS servers are on this list, some large load balancers and some port scan sites (Shields Up...) -- --------------------------------------------------------------- jullrich@sans.org Collaborative Intrusion Detection join http://www.dshield.org
"/overstatement" -- fair enough. I don't mean to diminish the effort. I guess it is the unused potential that gets under my skin here. This could actually be an extremely useful tool for research if the data had some sense of accountability. "one has to understand and take into account how it is collected" Based on your methods of collection, with minimal work, one could make 167.216.198.40 #1 on Most Wanted list (assuming sans.org is not on the false positive's list). Anyway, that's my $.02... I'll mind my own business now GL, j -----Original Message----- From: Johannes Ullrich [mailto:jullrich@sans.org] Sent: Sunday, July 28, 2002 4:24 PM To: jnull Cc: nanog@merit.edu; info@dshield.org; info@sans.org Subject: Re: Dshield.org
"I do not recommend adding every IP listed at DShield to your filter" /understatement.
I took a short while to peruse the data collected and distributed by DShield. I don't believe I need to go into the many reasons (I'm sure you know yourself) why this information is completely unreliable, but worse, possibly damaging.
/overstatement ;-) DShield data is not 'completely unreliable'. However, in order to use it, one has to understand and take into account how it is collected. If you find one of your machines listed as 'attackers', you may want to take a closer look at the reports. If it turns out that the machine in question is your DNS server, and the reports listed are port 53 requests, you can probably assume that everything is fine, in particular if there are only a few reports. We (DShield) don't apply any filters, but this doesn't indicate that you shouldn't. We do no apply any filters because we do not know your network configuration. In several cases, we added IPs to our 'false positive' list of IPs which we consider as common sources of false positive reports. For example, root DNS servers are on this list, some large load balancers and some port scan sites (Shields Up...) -- --------------------------------------------------------------- jullrich@sans.org Collaborative Intrusion Detection join http://www.dshield.org
Alsato, I have recently begun using Bogon Lists myself, after some research and convincing advice I received from members of this list. However, I do not agree with the terminology. A Bogon List is absolute (termed from Bogus, derived from bogus or unreal). The only addresses I would place in this list are address blocks that have not been assignedadding 1918 at borders. Other routes, determined malevolent or non-existent should be configured case-by-case. I dont believe I would trust any source as definitive. It has already proven a valuable measure against unwanted traffic, as you can see in a one-week timespan: Extended IP access list 120 (Compiled) permit tcp any any established (243252113 matches) deny ip 0.0.0.0 1.255.255.255 any (825328 matches) deny ip 2.0.0.0 0.255.255.255 any (413487 matches) deny ip 5.0.0.0 0.255.255.255 any (410496 matches) deny ip 7.0.0.0 0.255.255.255 any (413621 matches) deny ip 10.0.0.0 0.255.255.255 any (1524547 matches) deny ip 23.0.0.0 0.255.255.255 any (411623 matches) deny ip 27.0.0.0 0.255.255.255 any (414992 matches) deny ip 31.0.0.0 0.255.255.255 any (409379 matches) deny ip 36.0.0.0 1.255.255.255 any (822904 matches) deny ip 39.0.0.0 0.255.255.255 any (415316 matches) deny ip 41.0.0.0 0.255.255.255 any (412452 matches) deny ip 42.0.0.0 0.255.255.255 any (408982 matches) deny ip 49.0.0.0 0.255.255.255 any (412448 matches) deny ip 50.0.0.0 0.255.255.255 any (411544 matches) deny ip 58.0.0.0 0.255.255.255 any (409797 matches) deny ip 59.0.0.0 0.255.255.255 any (409663 matches) deny ip 60.0.0.0 0.255.255.255 any (411317 matches) deny ip 69.0.0.0 0.255.255.255 any (409853 matches) deny ip 70.0.0.0 1.255.255.255 any (833182 matches) deny ip 72.0.0.0 7.255.255.255 any (3300703 matches) deny ip 82.0.0.0 1.255.255.255 any (828636 matches) deny ip 84.0.0.0 3.255.255.255 any (1650688 matches) deny ip 88.0.0.0 7.255.255.255 any (3301130 matches) deny ip 96.0.0.0 31.255.255.255 any (13193345 matches) deny ip 169.254.0.0 0.0.255.255 any (204893 matches) deny ip 172.16.0.0 0.15.255.255 any (48290 matches) deny ip 192.0.2.0 0.0.0.255 any (201 matches) deny ip 192.168.0.0 0.0.255.255 any (326367 matches) deny ip 197.0.0.0 0.255.255.255 any (409469 matches) deny ip 198.18.0.0 0.1.255.255 any (3201 matches) deny ip 201.0.0.0 0.255.255.255 any (410619 matches) deny ip 222.0.0.0 1.255.255.255 any (823491 matches) deny ip 223.0.0.0 0.255.255.255 any deny ip 224.0.0.0 31.255.255.255 any (13165320 matches) permit ip any any (600152250 matches) For more detailed information on the subject matter, contact Rob Thomas or John Brownalso NANOG members. Good luck with you endeavors; youre on the right track. Jeff PGP: 0x54B1A25C "There are 10 types of people: those that understand binary, and those that do not. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of alsato Sent: Saturday, July 27, 2002 7:08 PM To: nanog@merit.edu Subject: Bogon list or Dshield.org type list Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not? Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them though. alsato
participants (7)
-
alsato
-
Charles Sprickman
-
jnull
-
Johannes Ullrich
-
John Palmer (NANOG Acct)
-
Måns Nilsson
-
Phil Rosenthal