[Dshield] top 10 list of ip addresses

bpennell@coxhealthplans.com bpennell at coxhealthplans.com
Tue Jan 24 20:00:40 GMT 2006


>From what I've found.  That list updates multiple times a day, and the
IPs are always different.  I'm wondering if the list is working
properly.  I decided against using the list.

I would suggest Netfilter's GeoIP to disable China, Korea, and any other
country you feel is a threat.  Then use Netfilter's "Recent" match to do
the opposite of port knocking.  Block any IP that scans across your
network.  Create multiple lists that will give the attacker 3 strikes.
If they strike out, block all traffic from them.

The lists can be modified for false positives that may cause a DOS
against a site, and with the traffic you receive, any IP address would
be blocked for a maximum of about a week.  Then it would be overwritten
with new attacker info.

Another thing you can do is modify the GeoIP database file.  You can
create your own country codes to block your own list of IPs.  For
instance, lists of anonymous proxy servers, or even the dshield list if
you choose to use it.  This does require some scripting, but it works
well.

Brent Pennell


Confidentiality Notice: This e-mail message (including any attachments)
may contain confidential and privileged information, and is for the sole
use of the intended recipient(s). Any unauthorized review, use,
disclosure or distribution is strictly prohibited. If you are not the
intended recipient, please notify the sender by replying to this e-mail
message, permanently deleting the original message and destroying any
hard copies of the original message that may have been created.


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Rick Wesson
Sent: Tuesday, January 24, 2006 1:04 PM
To: General DShield Discussion List
Subject: [Dshield] top 10 list of ip addresses


Is there a way to access a larger list of IPs than just the top 10
attackers?

thanks,

-rick
_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list