[Dshield] DOS by Sorbs?

Johannes B. Ullrich jullrich at euclidian.com
Fri Dec 23 21:50:06 GMT 2005


> Agreed. *How* many times has DShield ended up in one of these databases?
> What about SecurityFocus for that matter? This certainly does not speak
> too highly about the quality control involved. What if Johannes started
> listing folks as hostile and as a site that should be blocked based on a
> single quasi-anonymous DShield submission? <shutter>

hm. I think I stop complaining about being listed. Some put us in
whitelists. Others, oh well.

The only blocklist we provide is the short "top 20 /24" list. I provide
it as a compromise, as people keep asking for it.

As Chris says: Using our data to block sites indiscriminantly is stupid.
Yes. stupid... False positives are a nature of the data we collect, and
I do not want to eliminate them from the database, as they do contain
valuable information (I keep reminding people that in the very
beginning, before code red, I considered port 80 hits a false
positive... justa user typing in a wrong IP or a bad dns server ...).

Now that said, a couple months ago I had a guy who *insisted* that it
was our (DShield) fault that he can no longer send mail. He had a couple
harmless records in our database (typically mail server stuff, port 25
and a few 53 as he ran a dns server on the same box). The reasoning was
that he entered his IP in Google, and our site came back. Since Google
said so, it has to be true... oh well.

We do actually take some measures against "data harvesting". Not just to
avoid rogue blacklist building, but just as an anti-DDOS measure and to
avoid haivng people use these queries to ID submitters.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20051223/a50cb3cd/signature.bin


More information about the list mailing list