[Dshield] couple updates

Johannes B. Ullrich jullrich at euclidian.com
Fri Jun 24 13:33:00 GMT 2005



Ok. the DB maintenance is done, and it looks like it helped a lot. I
also fixed a couple other issues while I was messing with things.

- The "ping IPs" are now working in your profile. If you want, you can
use this feature to have our server send you a "ping" once a day to
check your time zone setting. (see end of this email on details).

- I fixed some of the whois issues, and at least made the errors less
cryptic. Also cleared out some cached data. Note that we tend to get
locked out of whois servers from time to time due to a large number of
queries.


Timestamps:

One of the toughest problems is keeping everybodies clocks aligned. If
at all possible, use something like ntp to synchronize your time. Many
stand alone firewalls (even small consumer appliances) have a feature to
do this.

Windows XP has a time sync feature as well.

We do not need "sub msec" accuracy. But if everybody is within a minute
or so its fine. The #1 issue are bad time zone offsets. If possible,
allow the client scripts to figure out the timezone. Personally, I just
run GMT on all my "non desktops". This avoids a lot of synchronization
issues, and most importantly daylight savings time / summer time issues.

Now what about this time check feature?

Its a variation of our time check page
(http://www.dshield.org/timestamp.php)

This page sends a TCP packet to a high port on your system
(10000-10100). This packet should be blocked by your firewall, and
reported back to DShield. As the packet comes back, we can compare the
time you report to the time we recorded when the packet was sent. So
this will give us a pretty good idea on the time offset (there is about
a 5 sec. 'jitter' as it can take a while for things to get recorded).

If your time is 'off', you will get an e-mail telling you about that.

Now some people can't hit the timestamp page from the network behind
their firewall. For this purpose, I setup a feature where you can
schedule these pings (I call them 'ping' even though its tcp, not
icmp-echo... but well, its more like a 'ping' then an actual connection).

To setup the IP that should be pinged, log in to your account and go to
your profile. You will see a field 'Time Check' where you can enter the
ips. Each ip you enter will be checked once a day.

If you want to see how good everybody's clock is, check:

http://www.dshield.org/timestamp.php

for a summary graph. (looks pretty good... but not the 'blibs' as 60,
120, 240 minutes...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050624/5e0f5db2/signature.bin


More information about the list mailing list