[Dshield] Re: Dshield digest, Vol 1 #230 - 1 msg

Bruce Lilly blilly at erols.com
Thu Aug 30 17:20:27 GMT 2001

> Date: Wed, 29 Aug 2001 20:57:55 -0400 (EDT)
> From: "Johannes B. Ullrich" <jullrich at euclidian.com>
> To: <dshield at dshield.org>
> Subject: Re: [Dshield] Fw: NTL Support/Abuse Staff
>   However, one question to ISPs that use proxies: Why not filter Code Red
> requests?

I don't speak for an ISP, but my ISP appears to proxy http requests from
their customers to the outside Internet. So if I use the URL on the dshield
home page http://www.dshield.org/warning_explanation.php, it reports the
proxy server's IP address, not my (dynamically) assigned IP address (N.B.
there is no proxy configured in my browser; this is apparently implemented
as an application gateway). OTOH, I'm getting hit by hundreds of Code Red
attack attempts per day both from within my ISP's IP address range and from
outside that range, so the proxying apparently doesn't take place either
within the ISP's network or for externally-originated http requests.

The proxy server isn't listed in the Dshield database, so apparently the
ISP does filter Code Red requests headed outside of their network.
Unfortunately, that means that only other customers of that ISP see Code
Red attacks from the ISP's customers -- unless a significant number of
that ISP's customers participate in Dshield, the fightback threshold is
unlikely to be reached.  The result is that the attacks continue with no
notification to the ISP in spite of large numbers of log lines in the
Dshield database; such filtering defeats a primary purpose of Dshield.
> > 5. The web proxies get listed as attackers.
>   If they are not the attacker themselfe, they at least hide their
> identity and this should be fixed.

If the proxy server is run properly, there should be logs that can be used
to identify the actual source IP address.

There is a larger issue as well; DHCP makes much of the Dshield database
of questionable utility.  A hacker could conceivably originate a small
number of attacks, change to a different IP address, originate a few more
attacks, etc., thus avoiding whatever threshold is used for fightback.
Also, the rather large window (looks like 3 days) for the IP reports may
incorrectly imply that the current user of that IP address has been
responsible for attacks.  With DHCP, the IP address must always be paired
with an accurate timestamp; a given IP address at two different times may
well be two different machines, and different IP addresses at different
times may be a single machine -- only the party responsible for assigning
the dynamic IP addresses can tell for sure.

As a result, listing the proxy server as the attacker is probably the right
thing to do.

DHCP vs. fightback is another matter; I can't think of any simple solution
to that problem other than keeping the threshold low.

More information about the list mailing list