[Dshield] Question about DShield log parsing

Johannes B. Ullrich jullrich at sans.org
Fri Jan 13 15:39:21 GMT 2006

> You should submit only suspicious traffic. If you run a web server then
> you better not submit all traffic but only the log lines related to
> accesses that try to exploit your webserver (wrong usernames and/or
> passwords, known exploits, strange requests, ...)

The problem is not from people running web servers, but people who visit
busy sites. The scenario:

You visit "bigstore.com"
Your firewall will notice the outbound connection, and is now accepting
packets coming back from 'bigstore.com'.
After a while, your firewall considers the connection 'closed'.
But bigstore.com is a slow website, so it keeps sending data... this
data is now blocked by the firewall.

Another scenario is where your browser is breaking down your connection,
but the server is missing these packets. So now your firewall thinks the
connection is down, but the server keeps sending.

Many scenarios like that where the firewall is not getting it "right".
And there is nothing "wrong" with your firewall either. It would be bad
if it would keep these connections open indefinitely. Part of this is
just a result of packet switched protocols in general, and how TCP/IP is
designed in particular. You never know if a packet actually made it.
Even if you put in confirmations (like the TCP handshake), the packet
may make it but the confirmation may not. TCP/IP is designed to recover
from most of these issues quite well, but its hard for a firewall in the
middle of it to make sense of the traffic.

Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20060113/e95b373b/signature.bin

More information about the list mailing list