[Dshield] Possible solution for ISP (was DShield's public goals)

ed.truitt@etee2k.net ed.truitt at etee2k.net
Fri Jan 13 17:09:06 GMT 2006

Yes, good analysis could separate true "intrusion attempts" from the "false
positives".  However, if the ISPs don't even have the resources to respond to
human-generated abuse complaints (which is one of the reasons I no longer send
them out, except to specific places), why do you think they will take the time
/ effort to do due diligence here?  I am willing to bet they will simply
implement a process which says "if the list says the guy is bad, then block
him, and leave him blocked" -- or else they will ignore the whole thing (sort
of like they do now.)


Quoting Tom <dshield at oitc.com>:

> Not if they apply good statistical analysis to the data.  They data
> really contains no "false positives" only false implication of
> intent. The fact that there was a connection/connection
> attempt/probes/etc on a port is a fact. Determining that it was not
> done by mistake (such as a browser user typing http://domian.com:7990
> instead of of http://domain.com:8080 due to typos) is a separate
> issue.  Good statistical analysis of the raw data can allow a network
> owner to find the bad and find those users that are never practicing
> safe computing and constantly being reinfected and causing problems
> from the typos and one off port scans.

More information about the list mailing list