[Dshield] Block.txt list of IP's rarely blocked...
fuc952d at tninet.se
Tue Mar 4 10:41:03 GMT 2003
On Thursday 27 February 2003 5:50 am, Johannes Ullrich wrote:
> > Over the past 37 weeks, I have blocked 28 packets from DShield's
> > block.txt lists. During that same time I have DROP'd 23,544 packets from
> > everywhere else.
yep, that represents about the same frequency for me.
> Interesting. And I am very eager to hear more about stats like this.
> I think the result is not all that surprising. There are a couple
> problems with block lists:
1) My firewall policy states :
only packets originating from inside are allowed with the exception of the
webserver, ssh and mail to some internal internal hosts
2) CIFS / SMB / reserved addresses / multi or broadcast packets are dropped,
alll others are logged
3) so the block list provides 10 extra rules for packets which would have
been logged anyway and potentially blocks an exploit for those 3 ports that
Nonetheless, I can perceive a benefit for a more wide ranging and flexible
access to the data especially for those folks running "accept as default with
specified denials" but I think we be should be nudging those folks towards a
rethink ;-) .
I would like to be able to access
a) top 10 list for specified ports
b) top 10 list for specified net/mask
c) Regional top 10 list????? maybe
d) The current top baddies.......
I would also like to know how fluid is the top 10...I havent kept records for
often it changes.
More information about the list