[Dshield] One More Nitwit's IPTable Question :-(

Johannes Ullrich jullrich at euclidian.com
Thu Oct 30 23:06:19 GMT 2003


sorry for stepping in a bit late into all of this. 

egress reporting, LAN IPs and DShield: The lowdown ;-)

(*) We do filter all reports out that show a SOURCE from
    a 'reserved' net. At this point, this is:
    10.0.0.0/8
    192.168.0.0/16
    127.0.0.0/8
    
    There are more, but these are the 'biggies'. 

There are a few reasons for this:
- a lot of these reports are from internal traffic and
  not 'malicious' in any way. If you have a Windows host 
  in your LAN, you will see plenty of port 137 broadcasts
  and your firewall will likely log them.
  In short: We don't want to know what you do at home ;-)

- if they are spoofed traffic, it is hard for us to 
  identify them as such, as we don't know your network layout.
  Many ISPs use 10. IPs for internal systems (in particular
  routers, or the HF end of cable modems.

- For fightback, these reports are of course useless. No way to
  find out where to send them to.

- in the past, we had a few 'flooding' incidents from these
  scenarios.

(*) We do accept reports if your 'TARGET' is in a reserved
    network.

Many firewalls, in particular IPTables with NAT, will report the
internal 'reserved' IP as target, not the external public IP.
Some of our clients can be configured to 'undo' this. However,
reports with reserved targets are perfectly fine.

- we can still link them to a submitter
- if you want to obfuscate your own IP, it is perfectly fine to
  use 10 as first byte (this way we know its obfuscated)

However, if your target IP is 'reserved', you can not participate in
fightback.

 


On Thu, 2003-10-30 at 17:24, David C. Hart wrote:
> I tracked down that spurious Hotmail traffic to timeouts on bounced mail
> going back to MSN which is not on the FreeMail list.
> 
> Am I to assume that those using IPTables to report data to DShield are
> reporting their LAN interface IP as the destination IP (in contrast to
> the host IP)? If not, I'll need to revisit my drawing board this
> weekend.
> 
> If so, does that compromise "FightBack" initiatives?
> 
> Thanks.
> 
> ______________________________________________________________________
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list