[Dshield] DShield's Public Goals
Johannes B. Ullrich
jullrich at sans.org
Fri Jan 6 01:27:56 GMT 2006
Let me ignore a lot of the port blocking discussion, and go back to
answer DShield's Public Goals:
DShield is a unique and valuable sensor network. It is our goal to use
this sensor network to obtain global data about malicious traffic. We
use this data to better understand the malicious activity and recommend
Now "defensive actions" can take many shapes. I strongly believe in
building a layered defense in depth. Each part of the network can play a
role in the defense. ISPs are one layer, and I still think that
selective, documented blocking of inbound traffic to consumer
connections is one such measure.
So to pull out a specific example:
Its ok for an ISP (and recommended in my opinion) to block port 139
inbound traffic to its home cable modem users if this is disclosed so in
the service contract.
But remember: All the parts have to work together. Users have some
responsibilities as well. Don't forget that by reading this list, you
are probably not exactly an average Internet user. There is only so much
a regular user can learn, or should be asked to learn. So user eduction
is important but has limits. Software should be written better then it
is now. But will you pay for better software? There are limits to all of
these defenses. For each layer, we need to identify defensive techniques
that provide the most "bang for the buck". The data we collect can be
used for just this purpose.
Johannes Ullrich jullrich at sans.org
Chief Research Officer (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS
"We use [isc.sans.org] every day to keep on top of
security at our bank" Matt, Network Administrator.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20060105/c1cc1ec3/signature.bin
More information about the list