[Dshield] Odd results with HPB

Altadena Internet Hostmaster hostmaster at altadena.net
Thu Oct 11 18:19:30 GMT 2007


I'm seeing hits (lots of them) on the RIPE dns/whois server address
block (193.0.0.x) in the HPB list being sent to my account.   This seems
odd; there are 2 reasons I can think of why that block would be in that
list, only one of which is reasonable...

1. RIPE has a hacked server on their primary service LAN (possible, but
doesn't seem likely).
2. Dshield is not filtering out other people's reports of late DNS
replies looking like attacks.  My reporting script does so and I
specifically checked on this.  As it is, I can't use the HPB list for
filtering (I do have it as pass...log)

There appear from my firewall logs to be several other similar address
ranges included in my HPB feed.

Since RIPE has dns servers mirroring their primaries literally all over
the world, this isn't too big a hit for me personally, but may reflect a
problem with dshield's automated attack correlation software and/or the
individual reporting scripts.

On a completely separate subject, but still involving the attack
correlation software, I note that my summary reports have LOTS of hits
from close address ranges on shawcable.  Does the software treat these
as all one attack (this is likely...) or not?

-- Pete



More information about the list mailing list