[Dshield] dshield-based RBLs?

Johannes B. Ullrich jullrich at sans.org
Mon Jun 7 19:05:39 GMT 2004


> Comments?

Well, I am always a bit ambivalent about distributing large
block lists like this. We do have our (very small) block list.
I could setup a blocklist as a "trial", and see how it works.
I will also have to check how to best filter such a blocklist.

For example, many valid mail servers do attempt auth lookups
and will show up for blocked port 113 requests. Some mail
servers are even more aggressive and will scan each host connecting
to them for open proxies. So a cas-by-ase whitelist is needed
for these servers.

Have to think about it. but overall, it looks like a lot
of work to do it right. And there are enough bad RBL's already.



-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040607/5895d3ce/attachment.bin


More information about the list mailing list