[Dshield] Bad Dest IP reported using CVTWIN and RouterLog

David Kennedy CISSP david.kennedy at acm.org
Fri Mar 14 07:08:22 GMT 2003


At 05:27 PM 3/13/03 -0500, John Duksta wrote:
>It all works quite nicely, except for the fact that CTVWIN puts my local 
>machine's IP address as the destination IP for the attacks. Since I'm 
>running RFC 1918 addressing on my internal network, this means that all 
>my reports are going to show a dest IP of 192.168.x.x instead of the 
>AT&T/Comcast IP that is assigned to the Barricade.
>
>Who should I contact about submitting a RFE to CVTWIN to hopefully fix 
>this issue?

I've been submitting logs with 10.0.0.0 addresses since 6/01 and don't
really see why my destination IP matters.  I suppose it's possible to parse
the SMTP headers for most CTVWIN submissions and infer a routeable address,
but for what purpose?  If my reports are used for fightback, and their
destination IP really becomes an issue, Johannes or someone at DShield can
always ask what my IP is.  Whether I can nail down a DHCP'd address on a
given day is a toss up, but worst-case I can't-so what?  My reports are
unlikely to be the sole cause for a fightback and unlikely to matter if my
reports have to be discarded.  

The focus is on the attackers.  IP's can be spoofed but if hundreds of
reporters report an attacker's IP, chances are it's not spoofed; no
guarantee, but chances are....  If a few hundred of us report a host as
CodeRed.F infected, chances are it is.  Knowing my IP really doesn't matter
to whoever is responsible for that host.  Cleaning it up is.  I just don't
see what the payoff is to trying to parse SMTP headers for an IP that could
have been manipulated by the SMTP server, a proxy or a firewall between the
submitter and DShield.
-- 
Regards,

David Kennedy CISSP                         /"\
Director of Research Services,              \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com     X  Against HTML Mail
Protect what you connect;                   / \
Look both ways before crossing the Net.



More information about the list mailing list