[Dshield] Bad Dest IP reported using CVTWIN and RouterLog

Wayne Larmon wlarmon at dshield.org
Fri Mar 14 23:21:38 GMT 2003

> John
> I agree with you about the value of reporting real addresses and keeping
> dShield data as accurate as possible. I am also running a SMC Barricade,
> with RouterLog and CTWIN, and have the same issue as you about my
> internal address being reported. I have a DHCP supplied address and SBC
> forces my external address changes about once a week. I'd like to see my
> correct address show up in the reports, so that the dShield data is kept
> accurate. I'd also suspect that reports of 'attacks' on Obscured IP
> addresses don't mean as much to ISPs as reports on real addresses.

Correct.  We don't send a Fightback based on an obscured (or non-routable)
IP address.  But they are used as supporting IPs that "count" towards the
minimum amount of different target IPs that we require before we send a
Fightback.  And they are in the database report that the admin can query to
determine exactly what was going on.  Some of the admins do do a diligent
job of tracking down the offender, which can be tricky if it is, say, a
dial-up network where each connection is assigned a different IP.  So every
bit of evidence is important, even obscured IPs.

> However, I've noticed that RouterLog always knows my current external IP
> Address. It's shown under the "Router Status" button along with my
> "Local IP Address".
> Could RouterLog add an optional check box to report my real "External
> Address"? All that it would need to do is replace all the "Local IP
> Address" values with the real "External Address" when it writes the data
> to the log file.
> Finally, those that want to report obscured addresses can either leave
> the option box in RouterLog unchecked, or check the "Obscure Your IP"
> box in CTWIN.
> Wayne
> Would getting the "External IP Address" into the log files as above
> satisfy dShield's "policy that our clients will only extract destination
> IPs if they are in a log file." It should also keep track of the
> changing IP address, so that the log reflects the real probes, what
> address and port were probed and when, no matter how long of a delay
> occurs until the data is reported. That would keep the data as
> trustworthy, and accurate, as possible.

Yes.  If the IP is in the log, then we will use it.

Wayne Larmon

More information about the list mailing list