[Dshield] Block.txt list of IP's rarely blocked...

fuc952d@tninet.se fuc952d at tninet.se
Tue Mar 4 10:41:03 GMT 2003


On Thursday 27 February 2003 5:50 am, Johannes Ullrich wrote:
> > Over the past 37 weeks, I have blocked 28 packets from DShield's
> > block.txt lists. During that same time I have DROP'd 23,544 packets from
> > everywhere else.

yep, that represents about the same frequency for me.

> Interesting. And I am very eager to hear more about stats like this.
> I think the result is not all that surprising. There are a couple
>  problems with block lists:

Some observations.

1) My firewall policy states : 

only packets originating from inside are allowed with the exception of the 
webserver,  ssh and mail to some internal internal hosts

2) CIFS / SMB / reserved addresses / multi or broadcast packets are dropped, 
alll others are logged

3) so the block list  provides 10 extra rules for packets which would have 
been logged anyway and potentially blocks an exploit for those 3 ports that 
are open.  

Nonetheless, I can perceive a benefit for a more wide ranging and flexible 
access to the data especially for those folks running "accept as default with 
specified denials"  but I think we be should be nudging those folks towards a 
rethink ;-) .

I would like to be able to access 

a)  top 10 list for specified ports
b)  top 10 list for specified net/mask
c)  Regional top 10 list????? maybe
d) The current top baddies.......

I would also like to know how fluid is the top 10...I havent kept records for 
often it changes.



More information about the list mailing list