[Dshield] Odd results with HPB

Johannes Ullrich jullrich at sans.org
Sun Oct 14 23:15:22 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


Thanks for the feedback. I will see if we can improve the correlation to
avoid this. One issue I have seen in the past is that DNS servers end up
in the blocklist as they may query (legitimately) no longer active NS
servers. Not sure what would cause this for whois servers. Could be slow
responses from whois servers that hit firewalls after they timed out the
connection.



Altadena Internet Hostmaster wrote:
> I'm seeing hits (lots of them) on the RIPE dns/whois server address
> block (193.0.0.x) in the HPB list being sent to my account.   This seems
> odd; there are 2 reasons I can think of why that block would be in that
> list, only one of which is reasonable...
> 
> 1. RIPE has a hacked server on their primary service LAN (possible, but
> doesn't seem likely).
> 2. Dshield is not filtering out other people's reports of late DNS
> replies looking like attacks.  My reporting script does so and I
> specifically checked on this.  As it is, I can't use the HPB list for
> filtering (I do have it as pass...log)
> 
> There appear from my firewall logs to be several other similar address
> ranges included in my HPB feed.
> 
> Since RIPE has dns servers mirroring their primaries literally all over
> the world, this isn't too big a hit for me personally, but may reflect a
> problem with dshield's automated attack correlation software and/or the
> individual reporting scripts.
> 
> On a completely separate subject, but still involving the attack
> correlation software, I note that my summary reports have LOTS of hits
> from close address ranges on shawcable.  Does the software treat these
> as all one attack (this is likely...) or not?
> 
> -- Pete
> 
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors.  http://www.sans.org/info/9346
> 


- --
Johannes Ullrich, SANS Institute, (www.sans.org)

SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
SANS top instructors.  http://www.sans.org/info/9346
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHEqMKPNuXYcm/v/0RA4FjAJ94ZWscsCz8V8pR21rsqJF+Wra2mQCfXnlW
FRmtLYU7QnNUa4XCxgeouh8=
=qzTq
-----END PGP SIGNATURE-----


More information about the list mailing list