[Dshield] using the feeds for your firewall

Jason Hammerschmidt Jason.Hammerschmidt at maclaren.com
Mon Jul 30 14:24:12 GMT 2001


On Monday 30 July 2001 06:41, David Kennedy CISSP wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> At 12:30 AM 7/28/01 -0400, Johannes B. Ullrich wrote:
> >- only authenticated reports will be considered.
> >- an IP has to show up in multiple authors reports.
> >- the report has to be recent (5 days ?)
>
> - - only IP with no satisfactory reponse from their ISP after two
> attempts.
>
> (Give ISP's a chance to enforce their TOS/AUP)
I've rarely had success with this, how often does Dshield have success with 
the fight back stuff?  How frequent does is it requested?  Judging by the 
volume, I'd say this should be happening very frequently.

> - - only probes of destination TCP ports of <1025 or known trojan horse
> default ports
only you can never know all the trojan horse default ports, and an include 
list like this I think would lead to mishaps.

> (no Half-Life, PC Anywhere etc generated blacklisting but Sub7 could)
BUT, I do like the idea of an exclude list, for things like half-life, PC 
Anywhere, things of that sort.

What about impact performance?  Anyone seen when a linux firewall can't 
handle the routing statements?  I'm actually assuming it could easily handle 
multiple thousands of routing statements/ipchains rules given a decent box.

-- 
Jason Hammerschmidt - direct: 416.643.8560 - "Sapere aude"




More information about the list mailing list