[Dshield] Re.: Database Integrity?

Johannes B. Ullrich jullrich at euclidian.com
Sun Mar 11 03:19:36 GMT 2001


The database will now reject entries where source and target address are the
same. I would like to do as little filtering as possible, and let the users
decide what data to use.

We keep extensive logs and backups of original submissions to help track
down problems. If we find obvious errors, like the one mentioned below, they
will be immediately corrected. There are a few other cases where we may
remove an "attacker":

 - known portscan services like Shields Up or Cablemodemhelp.com
 - reserved IP addresses like 10/8 or 192.168/16
 - cases where the submitter of a report asks us to remove them.

We will not remove records if:

 - the "attacker" machine was compromised at the time the attacks where
recorded. I guess this is the case for most of the attacker IPs.
 - the target port does not indicate an attack.

If someone feels like an IP address was implicated for malicious reasons, we
will try to contact the submitter and try to get both sides of the story.



-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On Behalf
Of Dan Crooks
Sent: Saturday, March 10, 2001 7:07 AM
To: dshield at dshield.org
Subject: [Dshield] Database Integrity?


I don't read this list often so I am sorry if this is re-hashing old news.
I received a call yesterday from a government agency that specializes in
tracking computer
intrusion detection.  They were inquiring about activities that reports
showed originated from my IP.  This agency received a report that originated
from DShield
sources that showed a couple of dates back in January my IP was the #1
attacker.

At first I thought my machine had been hacked and someone was using it to
scan other machines without my knowledge.  I had not noticed anything that
would indicate
I had been hacked.  I could find no trace of any intrusion.  Then I thought
that maybe my submissions to the database at Dshield had gotten reversed
making me the attacker instead of the attacked.  Using the search tool on
DShield I was unable to determine much of anything useful.

Luckily I keep all my submission reports to DShield.  I reviewed the dates
in question and discovered that on those dates I had run port scans on my
machine
using nmap to look for weaknesses in my own system.  The log I submitted to
DShield shows the same IP as attacker and attackee!!

If government agencies are going to use DShield reports to track attackers
there has got to be some way to prevent this kind of mistake.  Had this
agency
decided to seize my equipment based on the information they received from
DShield it would have smeared the whole DShield project.  Error checking
must
be accomplished on reports submitted to DShield BEFORE being written to the
database, otherwise the database is useless.

If DShield receives reports that contain the same IP for both inbound and
outbound it should NOT add them to the database?




More information about the list mailing list