[Dshield] Dshield listing of load-balancers / proposal for LB registry

Frank Knobbe frank at knobbe.us
Wed Oct 27 17:49:43 GMT 2004


Greetings,

a client contacted me recently to help him understand why one of his IP
addresses is listed in the DShield database. As it turns out, that IP
address is the public IP of their load-balancer. It appears that remote
sites recognize the various packets, which are used by load-balancers to
optimize their data routing path, as scans and hostile traffic,
(black-)listing it and reporting it to places like DShield.

How is that addressed within the DShield setup? (My guess is: not at
all) 

There are thousands of load-balancers (F5, Radware, etc) in use on the
Internet. Those load-balancers do two things: 

a) They contribute to the pollution of the Internet by sending multiple
packets in different formats (TCP SYNs, ICMPs, UDP probes) to
unsuspecting targets (I say unsuspecting because they just browse
websites. They don't expect a handful of pings'n'probes being thrown at
them just for looking at a website).

b) They severely skew results when we attempt to measure hostile
behavior or detect scanners.

If you think about all this "false traffic" floating around the net,
falsifying statistics and possibly tripping preventive/reactive
countermeasures inadvertently, you come to realize that this is a
growing problem. With these products becoming more affordable and
finding more widespread use, the amount of "false traffic" will only
increase.

I'd like to check and see what is being done to counter this
falsification through garbage thrown out by load-balancers. Are there
any efforts to weed out those "false hits"? Are there any projects
dealing with this issue?

If not, I'd like to propose the creation of a registry of
load-balancers. Maybe similar to Team Cymru Bogon List, or perhaps like
a spam list in DNS based format. This registry could be open to anyone
(companies using load-balancers, IDS operators, Managed Security Service
Providers, etc). Those folks can submit IP addresses of load-balancers.
That database should be available for query to anyone so that IP's can
be checked against the DB, and false hits can be quickly identified.
Likewise, other lists (like DShield) could use that data to intersect
their database and clean-out all the known load-balancers from their
listings so that load-balancers are not mistaken for "hostile
attackers".


What is the opinion of this list regarding creation of such an
load-balancer registry? Would it add value as I hope?

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20041027/ce5519bb/attachment.bin


More information about the list mailing list