My next class:

Reminder: Proper use of DShield data

Published: 2008-05-28. Last Updated: 2008-05-28 21:04:35 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)
Once in a while, we receive requests to remove an IP from our "blocklist", only to find out that the particular IP address isn't in our blocklist. Usually, it turns out that someone is using part of our DShield list in a way they are not supposed to be used.

DShield currently only publishes one blocklist: http://www.dshield.org/block.txt . It removes some of the obvious false positives. Of course, like with any block list, you should still use it at your own risk.

In addition, we are publishing the "Highly Predictive Blocklists" (http://www.dshield.org/hpbinfo.html). These blocklists are currently experimental, and a new version of the software should actually be release shortly.

Finally, there are a number of other "lists". For example, the following list is quite popular:

http://www.dshield.org/ipsascii.html

Note the big disclaimer at the top of this list:

# ipsascii.html
# DO NOT USE AS BLOCKLIST

This list contains the top IPs, without any consideration to false positives.

Why don't we filter false positives?

Well, if it would be easy, we would do it. But first of all, DShield is a research tool. It has to provide consistent and complete data. In a particular case that came up today, a site was under DDoS attack. Our sensors picked up back scatter traffic and reported it to us. As a result, the site ended up in 'ipsascii.html'. I rather keep this type of activity in my database. Measuring backscatter is one thing we can do with our data. Another common false positive is P2P afterglow. But in case there is active scanning for P2P networks, we need to know what this afterglow looks like in order to substract it.

So again! stick to the recommended block lists. If you find an IP in our blocklist that shouldn't be there, let us know and we will remove it ASAP. But any raw data associated with the IP address will remain in our database. Finding an IP address in our database doesn't mean automatically that they are an "attacker" or "evil". To figure out what is happening, we need to look at the data in more detail.

Keywords: blocklist dshield
2 comment(s)
My next class:

Comments

It appears the list at http://www.dshield.org/block.txt hasn't been updated in over a year:
# updated: Tue Mar 13 02:27:52 2007 UTC
Is there a version that's actively maintained somewhere?
(Sorry if this is a double post; I don't think my first attempt went through.)
That URL is not the feed one. Reading a little bit more of the text shows that you can go to the primary URL of http://feeds.dshield.org/block.txt . That URL is the one that is constantly updating while the other just is a static file. Johannes probably should make it apparently that the one supplied at www.dshield.org is an example file not the actual live feed.

Diary Archives