[Dshield] new fightback system
Johannes B. Ullrich
jullrich at sans.org
Mon Jun 14 19:45:28 GMT 2004
Last night, I took a new fightback system live. The purpose
of this system is twofold:
- improve performance. The old system didn't keep up with the
reports and in addition caused the data imports to slow down.
So under heavy load, this caused not only outbound fightbacks
to slow down to a crawl, but it also caused the fightback
system to block new imports.
- better transparency for users. The old system didn't provide
much feedback about its status. Not only was it hard to
debug, but it was hard to communicate to you (users of the
system) what it is actually doing.
At this point, the automatic fightback messages are integrated
into this system. The user triggered messages will be integrated
shortly (just waiting for a couple days to work out any bugs).
To check the fightback systems status, see:
The numbers are not quite right yet, as some of them still reflect
some of the testing I have done. (e.g. the table at the
bottom was reset a couple times and the 'sent' count is lower
then the actual number). Over the next day or so, this
Whenever new reports are processed, the new system will screen
the batch for likely fightback candidates and add them to a
fightback queue. A second script will then run though this
queue, do some more detailed verification and if the report
passes, a fightback message will be sent.
BTW: we are very close to sending out 1 Millionths message ;-).
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
More information about the list