[Dshield] How representative?

Chateauneuf dupape at bellatlantic.net
Tue Mar 25 17:30:28 GMT 2003


At 10:18 AM 3/25/2003 -0500, Jeff Kell authored the following:

>Precisely.  If your setup is completely secured, you drop the packet 
>without further question.  You might be able to differentiate between a 
>"scan" and an "intrusion attempt" from an ICMP or UDP packet, but for TCP 
>issues, you never allow it to get beyond the initial SYN unless you have a 
>real live server behind it.  You would have to "honeynet" every service to 
>get far enough to detect a TCP-based exploit.
>
>Jeff

Well put.

There are 36 Million AOL subscribers. I suspect that a majority wouldn't 
know an ICMP packet from chopped liver. With the growing proliferation of 
always-on connections, it's really scary when you think of all the 
potentially compromised machines of people who haven't the slightest clue 
that they are distributing porn, spam or warez.

I have said this before. I think that DShield has a greater potential to 
reduce spam and piracy than all the block lists combined. 



More information about the list mailing list