nanog mailing list archives

Re: Bogon list or Dshield.org type list

From: "John Palmer (NANOG Acct)" <nanog () adns net>
Date: Sun, 28 Jul 2002 09:35:40 -0500


Yes - DSHEILD has  our ORSC root server listed as well. I thought that was hilarious. 

----- Original Message ----- 
From: "Charles Sprickman" <spork () inch com>
To: "Johannes Ullrich" <jullrich () sans org>
Cc: <nanog () merit edu>
Sent: Sunday, July 28, 2002 2:36 AM
Subject: Re: Bogon list or Dshield.org type list


I looked up a nameserver that I once worked with and found that it is
"attacking" from port 53.  Needless to say, it's not hacked, it's
answering queries.

Charles

--
Charles Sprickman
spork () inch com


On Sat, 27 Jul 2002, Johannes Ullrich wrote:



I do not recommend adding every IP listed at DShield to your filter.
We do publish a 'block list', of the worst networks (based on reports
for the last 5 days).

Quick note on our methods: We basically aggregate firewall logs and
offer summarized reports. The reports should allow everyone to apply
their own judgment.

For the block list:
http://www.dshield.org/block_list_info.html



On Sat, 27 Jul 2002 20:19:47 -0400
"Phil Rosenthal" <pr () isprime com> wrote:

I can comment on the dshield list.
I have seen this before.  I am checking one particular IP on my network
that has a very popular freehost on it.  Checking the load balancer IP
(connections cannot be originated from this IP) -- it shows that there
were 13 attacks initiated from the IP, and 7 targets.  Whatever their
algorithm is, it doesn't seem reliable enough for me to trust it if an
IP that can not originate connections is listed as an attacker (albeit
small on their list)
--Phil

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
alsato
Sent: Saturday, July 27, 2002 8:08 PM
To: nanog () merit edu
Subject: Bogon list or Dshield.org type list



Im wondering how many of you use Bogon Lists and
http://www.dshield.org/top10.html type lists on your routers?  Im
curious to know if you are an ISP  with customers or backbone provider
or someone else?  I have a feeling not many people use these on routers?
Im wondering why or why not?
 Ive never used them on my routers although I work for a new isp/cable
provider.  Im thinking it would make my users happy to use them though.


alsato



--
---------------------------------------------------------------
jullrich () sans org             Collaborative Intrusion Detection
                                    join http://www.dshield.org

Current thread:

Bogon list or Dshield.org type list alsato (Jul 27)
- RE: Bogon list or Dshield.org type list Phil Rosenthal (Jul 27)
  - Re: Bogon list or Dshield.org type list Johannes Ullrich (Jul 27)
    - Re: Bogon list or Dshield.org type list Charles Sprickman (Jul 28)
    - Re: Bogon list or Dshield.org type list John Palmer (NANOG Acct) (Jul 28)
    - Re: Bogon list or Dshield.org type list Måns Nilsson (Jul 29)
    - RE: Dshield.org jnull (Jul 28)
    - Re: Dshield.org Johannes Ullrich (Jul 28)
    - RE: Dshield.org jnull (Jul 28)
- RE: Bogon list or Dshield.org type list jnull (Jul 27)
- <Possible follow-ups>
- RE: Bogon list or Dshield.org type list michael . dillon (Jul 29)
  - Re: Bogon list or Dshield.org type list Peter E. Fry (Jul 29)
  - RE: Bogon list or Dshield.org type list jnull (Jul 29)
    - RE: Bogon list or Dshield.org type list Dan Hollis (Jul 29)