[Dshield] Bad Dest IP reported using CVTWIN and RouterLog

dcm2002@sbcglobal.net dcm2002 at sbcglobal.net
Fri Mar 14 21:49:47 GMT 2003


I agree with you about the value of reporting real addresses and keeping
dShield data as accurate as possible. I am also running a SMC Barricade,
with RouterLog and CTWIN, and have the same issue as you about my
internal address being reported. I have a DHCP supplied address and SBC
forces my external address changes about once a week. I'd like to see my
correct address show up in the reports, so that the dShield data is kept
accurate. I'd also suspect that reports of 'attacks' on Obscured IP
addresses don't mean as much to ISPs as reports on real addresses.  

However, I've noticed that RouterLog always knows my current external IP
Address. It's shown under the "Router Status" button along with my
"Local IP Address". 
Could RouterLog add an optional check box to report my real "External
Address"? All that it would need to do is replace all the "Local IP
Address" values with the real "External Address" when it writes the data
to the log file. 

Finally, those that want to report obscured addresses can either leave
the option box in RouterLog unchecked, or check the "Obscure Your IP"
box in CTWIN. 


Would getting the "External IP Address" into the log files as above
satisfy dShield's "policy that our clients will only extract destination
IPs if they are in a log file." It should also keep track of the
changing IP address, so that the log reflects the real probes, what
address and port were probed and when, no matter how long of a delay
occurs until the data is reported. That would keep the data as
trustworthy, and accurate, as possible.

David Mehl
Houston TX  USA
dcm2002 at sbcglobal.net 

More information about the list mailing list