[Dshield] dshield reports

John Sage jsage at finchhaven.com
Sun Jun 23 05:25:51 GMT 2002


John:

On Sat, Jun 22, 2002 at 08:51:31PM -0400, Lauro, John wrote:
> Hello,
> 
> I am trying to understand some of the dshield reports...
> 
> 1. The Top 10 most wanted (at http://www.dshield.org/top10.html)
> states "(Interested in more detailed reports? Join the mailing list
> and ask for it ;-) ..).", and clicking on the link states "No such
> list dshield".  Is that list meant to be this list?

I'll let Johannes or somebody else tackle that..


> 2. On the subnet report, I think there is a problem (maybe some data
> is newer then other?), or I am a little confused what the numbers
> mean...  I was checking one of the IPs scanning our network, to double
> check that it showed up in the dshield database...
> 
> At the top level, for 141/8 it has:
> Sources: 7682
> Targets: 231768
> Reports: 303834

141/8 represents hosts/net: 16,777,214 

> Then cling on 141/8, it has 141.210/16 (along with a bunch of other
> subnets):
> Sources: 68
> Targets: 275
> Reports: 572

141.210/16 represents hosts/net: 65,534

> After you click on 141.210/16...
> Source        Sources Targets Reports 
> 141.210.010/24      2       2       2 
> 141.210.016/24     21      28      34 
> 141.210.162/24      2       3       3 
> 141.210.178/24      1       3       5 
> 141.210.180/24      1       2       3 
> 141.210.181/24      1   64276  120344 
> 141.210.186/24      1     190     464

141.210.0/24 represents hosts/net: 254 

So each individual line within the 141.210.0/24 grouping could only
have a possible total of 254 individual hosts.

Of the possible 254 in 141.210.016/24, for example, 21 individual
hosts have been reported performing probes.

Any given /24 just doesn't have that many hosts in it, so the numbers
(at least for the blocks you've been looking at..) cannot be greater
than 254. The likelyhood of a lot of hosts in a /24 *all* doing probes
is not that great, I'd guess..

> Why are the numbers for 141.210/16 so low?  I tried forcing a refresh
> on the page, and looked at the date of the page according to the
> browser, and it has today's date.


- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the list mailing list