[Dshield] How to ask someone's ISP to investigate]

Johannes B . Ullrich jullrich at euclidian.com
Fri Jul 13 21:49:11 GMT 2001

  Our Fightback policy does not just depend on the number of reports we get
for a particular source IP. It also depends on the port that was probed.
There are a number of these ports where we have very low thresholds (lowest
is 3 different IP addresses targeted). For example port 27374 is set that
low, as I don't think there is a 'good reason' to scan for scanning the
Sub7 port.

jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

    I think that DShield is a great idea, and Fightback an excellent
extension of that idea, but I'm a bit confused as to what criteria are used
to select a candidate to receive a complaint: I've received DShield
Fightback notifications where "A total of 3 records in dshield's database
implicate this IP address."  Now, don't get me wrong, ISP notifications are
(IMHO) a great idea, but it seems that if we're sending out messages about
machines that only have three entries, we could be generating a lot of
"noise" that will make us more likely to be ignored when we actually have
something big to report.  Or are these reports generated manually by people
clicking on the fightback icon (I think that's how it works)?

-Neil R.
"How do you do it, Homer?  How do you silence that
  little voice that says, 'Think'?"                  -Flanders
"You mean Lisa?"                                    -Homer

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list