[Dshield] using the feeds for your firewall

Jason Hammerschmidt Jason.Hammerschmidt at maclaren.com
Fri Jul 27 18:17:43 GMT 2001


Hi,

I'm wondering how people are actually using the feeds now a days?
We're using Linux 2.2 ipchains firewalling and I'm looking to start 
implementing the D Sheilds stuff.  Presumably 859,094 (as of today) sources 
is too much to handle even on a super suped up box if you dropped them in 
your routing table or with ipchains.  The top 10 seems like just not enough, 
the top 100? maybe but probably still not even close to enough.  top 1000?  
When does a noticeable performance hit occur?

Essentially, what are people using of the feeds to block firewalls?  

I'd like to stop the known scanners without the use of various IDS's 
(portsentry, etc.).  While it's next to impossible to block them all, it's 
concievable you could block a good portion of them, then again the 
performance hit could be too much and it may just be better to simply rely on 
the IDS completely.  thoughts? comments? flames (didn't you read post x?)?

--
Jason




More information about the list mailing list