[Dshield] Integrating DSHIELD IP lookup database

Johannes Ullrich jullrich at euclidian.com
Wed Mar 5 22:33:25 GMT 2003

> I would love to see a DShield SOAP interface but I have some doubts:

how would the ipinfo_ascii.php page look in soap and what service could
it provide the current version does not offer?

> 1/ If we want that system to be usable, it should be secured using
> SSL and that takes time and money (to buy the key). 

All of DShield.org is available using https://secure.dshield.org 
instead of http://www.dshield.org

> 2/ The DB is currently extremely slow: it takes about 20-30 seconds
> now to get a result page for the "most wanted" IP. It seems to be
> faster for unmatched IPs, but I wonder how slow it will be if it
> starts getting hundreds of requests per minute (likely scenario there
> is a working SOAP interface to that query).

working on that and adding more caching... so far we cache mysql queries
and some web stuff, but a full proxy is in planning. This will help in
particular with frequently requested IPs.

> 3/ The queries should be more varied: one should be able to get infor
> for a whole range of IPs, or to get info about a specific IP but with
> an indirection (like "the most wanted IP ranking 4", etc.).

thats where speed and input validation becomes more tricky... later maybe
There is already the 'subnet' report on isc.sans.org (which is using the
same database as dshield.org and incidently the same web server...)

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

More information about the list mailing list